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To  provide  individuals  Avith  access  to  health  information  of  which  they  are 
a  subject,  ensure  personal  privacy  with  respect  to  health-care-related 
information,  impose  criminal  and  civil  penalties  for  unauthorized  use 
of  protected  health  information,  to  pro\ide  for  the  strong  enforcement 
of  these  rights,  and  to  protect  States'  rights. 


H.  R.  1057 


IN  THE  HOUSE  OF  REPRESENTATIVES 

March  10,  1999 

Mr.  Markey  (for  himself,  Mr.  McDermott,  Mr.  FROST,  Ms.  Kaptur,  Mr. 
MOAKLEY,  Ms.  Roybal-Allard,  Mr.  Nadler,  Mr.  Frank  of  Massachu- 
setts, Mr.  Cro\\tley,  Mr.  Green  of  Texas,  Mr.  McGovERN,  Mr.  Lu- 
ther, Mr.  Sant>ers,  Mr.  Mascara,  Mr.  Brown  of  California,  Mr.  Ro- 
mero-Barcelo,  Mr.  Delahunt,  Mr.  DeFazio,  Mr.  Capuano,  Mr. 
Stark,  Mr.  Strickland,  and  Ms.  Lofgren)  introduced  the  following 
bill;  which  was  referred  to  the  Committee  on  Commerce,  and  in  addition 
to  the  Committee  on  the  Judiciary,  for  a  period  to  be  subsequently  deter- 
mined by  the  Speaker,  in  each  case  for  consideration  of  such  provisions 
as  fall  within  the  jurisdiction  of  the  committee  concerned 


To  provide  individuals  with  access  to  health  information  of 
which  they  are  a  subject,  ensure  personal  privacy  with 
respect  to  health-care-related  information,  impose  crimi- 
nal and  civil  penalties  for  unauthorized  use  of  protected 
health  information,  to  provide  for  the  strong  enforcement 
of  these  rights,  and  to  protect  States'  rights. 

1  Be  it  enacted  hy  the  Senate  and  House  of  Representa- 

2  tives  of  the  United  States  of  America  in  Congress  assembled, 
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1  SECTION  1.  SHORT  TITLE;  TABLE  OF  CONTENTS. 

2  (a)  Short  Title. — This  Act  may  be  cited  as  the 

3  "Medical  Information  Privacy  and  Security  Act". 

4  (b)  Table  of  Contents. — The  table  of  contents  for 

5  this  Act  is  as  follows: 

Sec.  1.  Short  title;  table  of  contents. 
Sec.  2.  Findings. 
Sec.  3.  Purposes. 
Sec.  4.  Definitions. 

TITLE  I— INDIVIDUALS'  RIGHTS 


Subtitle  A — ^Access  to  Protected  Health  Information  by  Subjects  of  the 

Information 


Sec. 

101. 

Inspection  and  copjdng  of  protected  health  information. 

Sec. 

102. 

Supplements  to  protected  health  information. 

Sec. 

103. 

Notice  of  privacy  practices. 

Subtitle  B — Establishment  of  Safeguards 

Sec. 

111. 

Establishment  of  safeguards. 

Sec. 

112.  Accountuig  for  disclosures. 

TITLE  II— RESTRICTIONS  ON  USE  AND  DISCLOSURE 

Sec. 

201. 

General  rules  regarding  use  and  disclosure. 

Sec. 

202. 

Authorizations  for  disclosure  of  protected  health  information  for 

treatment  and  payment. 

Sec. 

203. 

Authorizations  for  disclosure  of  protected  health  information  other 

than  for  treatment  or  payment. 

Sec. 

204. 

Emergency  circumstances. 

Sec. 

205. 

Public  health. 

Sec. 

206. 

Protection  and  advocacy  agencies. 

Sec. 

207. 

Oversight. 

Sec. 

208. 

Disclosure  for  law  enforcement  purposes. 

Sec. 

209. 

Next  of  kin  and  directory  information. 

Sec. 

210. 

Health  research. 

Sec. 

211. 

Judicial  and  administrative  purposes. 

Sec. 

212. 

Individual  representatives.  ; 

Sec. 

213. 

Prohibition  against  retaliation. 

TITLE  III— OFFICE  OF  HEALTH  INFORMATION  PRIVACY  OF  THE 
DEPARTMENT  OF  HEALTH  AND  HUMAN  SERVICES 

Subtitle  A — Designation 

Sec.  301.  Designation. 

Subtitle  B — Enforcement 
CHAPTER  1— Criminal  Provisions 
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Sec.  311.  Wrongful  disclosure  of  protected  health  information. 
Sec.  312.  Debarment  for  crimes. 

CHAPTER  2— Civil  Sanctions 
Sec.  321.  Civil  penalty. 

Sec.  322.  Procedures  for  imposition  of  penalties. 
Sec.  323.  Civil  action  by  individuals. 

TITLE  IV— MISCELLANEOUS 

Sec.  401.  Relationship  to  other  laws. 
Sec.  402.  Effective  date. 

1    SEC.  2.  FINDINGS. 


2  The  Confess  finds  as  follows: 

3  (1)  Individuals  have  a  right  of  privacy  with  re- 

4  spect  to  their  protected  health  information  and 

5  records.  ;                 ,  - 

6  (2)  With  respect  to  information  about  medical 

7  care  and  health  status,  the  traditional  right  of  con- 

8  fidentiality  (between  a  health  care  provider  and  a 

9  patient)  is  at  risk. 

10  (3)  An  erosion  of  the  right  of  privacy  may  re- 

1 1  duce  the  willingness  of  patients  to  confide  in  physi- 

12  cians  and  other  practitioners  and  may  inhibit  pa- 

13  tients  from  seeking  care. 

14  (4)  An  individual's  privacy  right  means  that  the 

15  individual's  consent  is  needed  to  disclose  his  or  her 

16  protected  health  information  and  that  the  individual 

17  has  a  right  of  access  to  that  health  information. 

18  (5)  Any  disclosure  of  protected  health  informa- 

19  tion  should  be  limited  to  that  information  or  portion 
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1  of  the  medical  record  necessary  to  fulfill  the  imme- 

2  diate  and  specific  purpose  of  the  disclosure. 

3  (6)  Health  research  often  depends  on  access  to 

4  both  identifiable  and  de-identified  patient  health  in- 

5  formation  and  health  research  is  critically  important 

6  to  the  health  and  well-being  of  all  people  in  the 

7  United  States.  < 

8  (7)  The  Supreme  Court  found  in  Jaffee  v. 

9  Redmond  (116  S.Ct.  1923  (1996))  that  there  is  an 

10  imperative  need  for  confidence  and  trust  between  a 

11  psychotherapist  and  a  patient  and  that  such  trust 

12  can  only  be  established  by  an  assurance  of  confiden- 

13  tiality.  This  assurance  serves  the  public  interest  by 

14  facilitating  the  provision  of  appropriate  treatment 

15  for  individuals. 

16  (8)  Section  264  of  the  Health  Insurance  Port- 

17  ability  and  Accountability  Act  of  1996  (42  U.S.C. 

18  1320d-2  note)  establishes  a  deadhne  that  Congress 

19  enact  legislation,  before  August  21,  1999,  to  protect 

20  the  privacy  of  protected  health  information. 

21  SEC.  3.  PURPOSES. 

22  The  purposes  of  this  Act  are  as  follows: 

23  ,    (1)  To  recognize  that  there  is  a  right  to  privacy 

24  with  respect  to  health  information,  including  genetic 

25  information,  and  that  this  right  must  be  protected. 
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1  (2)   To  create  incentives  to  turn  protected 

2  health  information  into  de-identified  health  informa- 

3  tion,  where  appropriate. 

4  (3)  To  designate  an  Office  of  Health  Informa- 

5  tion  Privacy  within  the  Department  of  Health  and 

6  Human  Services  to  protect  that  right  of  privacy. 

7  (4)  To  provide  individuals  with — 

8  (A)  access  to  health  information  of  which 

9  they  are  the  subject;  and  ; 

10  (B)  the  opportunity  to  challenge  the  accu- 

11  racy  and  completeness  of  such  information  by 

12  being  able  to  file  supplements  to  such  informa- 

13  tion.  :  ■■■  ■     '    ■'.               ,  . 

\A  (5)  To  provide  individuals  with  the  right  to 

15  limit  the  use  and  disclosure  of  protected  health  in- 

16  formation.  :  ; 

17  (6)  To  establish  strong  and  effective  mecha- 

18  nisms  to  protect  against  the  unauthorized  and  inap- 

19  propriate  use  of  protected  health  information. 

20  (7)  To  invoke  the  sweep  of  congressional  pow- 

21  ers,  including  the  power  to  enforce  the  14th  amend- 

22  ment,  to  regulate  commerce,  and  to  abrogate  the  im- 

23  munity  of  the  States  under  the  11th  amendment,  in 

24  order  to  address  violations  of  the  rights  of  individ- 

25  uals  to  privacy,  to  provide  individuals  with  access  to 
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1  their  health  information,  and  to  prevent  unauthor- 

2  ized  use  of  protected  health  information  that  is  ge- 

3  netic  information. 

4  (8)  To  establish  strong  and  effective  remedies 

5  for  violations  of  this  Act. 

6  (9)  To  protect  the  rights  of  States.  r 

7  SEC.  4.  DEFINITIONS. 

8  In  this  Act: 

9  (1)  Administrative  billing  information. — 

10  The    term    "administrative    biUing  information" 

1 1  means  any  of  the  following  forms  of  protected  health 

12  information: 

13  (A)  Date  of  service,  policy,  patient  identifi- 

14  ers,  and  practitioner  or  facility  identifiers. 

15  (B)  Diagnostic  codes,  in  accordance  with 

16  medicare  billing  codes,  for  which  treatment  is 

17  being  rendered  or  requested. 

18  (C)  Complexity  of  service  codes,  indicating 

19  duration  of  treatment. 

20  (D)  Total  billed  charges. 

21  (2)  Agent. — The  term  "agent"  means  a  person 

22  who  represents  and  acts  for  another  person  (a  prin- 

23  cipal)  under  a  contract  or  relationship  of  agency,  or 

24  whose  function  is  to  bring  about,  modify,  affect,  ac- 

25  cept  performance  of,  or  terminate,  contractual  obli- 
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1  ■  gations  between  the  principal  and  a  third  person. 

2  .       With  respect  to  an  employer,  the  term  includes  the 

3  employees  of  the  employer. 

4  (3)  De-identified  HEALTH  INFORMATION. — 

5  (A)  In  general. — The  term  "de-identified 

6  health  information"  means  any  protected  health 

7  information,  with  respect  to  which — 

8  (i)  all  personal  identifiers,  or  other  in- 

9  formation  that  may  be  used  by  itself  or  in 

10  combination  with  other  information  which 

11  :    may  be  available  to  re-identify  the  subject 

12  of  the  information,  have  been  removed;  and 

13  (ii)  a  good  faith  effort  to  evaluate  the 

14  risks  of  re-identification  of  the  subject  of 

15  ^      ■      such  information  in  the  context  in  which  it 

16  will  be  used  or  disclosed,  has  been  made. 

17  (B)  Examples. — The  term  includes  aggre- 

18  ^  gate  statistics,  redacted  health  information,  in- 

19  formation  in  which  random  or  fictitious  alter- 

20  natives  have  been  substituted  for  personally 

21  identifiable   information,    and   information  in 

22  ^     -  V    which  personally  identifiable  information  has 

23  been  encrypted  and  the  decryption  key  is  main- 

24  tained  by  a  person  otherwise  authorized  to  have 
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access  to  such  protected  health  information  in 
an  identifiable  format. 

(4)  Disclose. — The  term  "disclose"  means  to 
release,  publish,  share,  transfer,  transmit,  dissemi- 
nate, show,  permit  access  to,  re-identify,  or  other- 
wise divulge  protected  health  information  to  any  per- 
son other  than  the  individual  who  is  the  subject  of 
such  information.  The  term  includes  the  initial  dis- 
closure and  any  subsequent  redisclosure  of  protected 
health  information.  • 

(5)  Decryption  key. — The  term  "decryption 
key"  means  the  variable  information  used  in  or  pro- 
duced by  a  mathematical  formula,  code,  or  algo- 
rithm, or  any  component  thereof,  used  to  encrypt  or 
decrj^t  wire  or  electronic  communications  or  elec- 
tronically stored  information. 

(6)  Employer. — The  term  "employer"  means 
a  person  engaged  in  business  affecting  commerce 
who  has  employees.  --^ ' 

(7)  Encryption. — The  term  "encryption" 
means  the  scrambling  of  electronic  or  wire  commu- 
nications or  electronically  stored  information  using 
mathematical  formulas  or  algorithms  sufficient  to 
preserve  the  confidentiality,  integrity,  and  authentic- 
ity of  such  communications  or  information. 
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1  (8)  Health  care. — The  term  "health  care" 

2  means — 

3  .  (A)  preventive,  diagnostic,  therapeutic,  re- 

4  habilitative,  maintenance,  or  palhative  care,  in- 

5  eluding  appropriate  assistance  with  disease  or 

6  symptom  management  and  maintenance,  coun- 

7  seling,  service,  or  procedure — 

8  (i)  with  respect  to  the  physical  or 

9  '  mental  condition  of  an  individual;  or 

10  (ii)  affecting  the  structure  or  function 

11  of  the  human  body  or  any  part  of  the 

12  human  body,   including  the  banking  of 

13  blood,  sperm,  organs,  or  any  other  tissue; 

1 4  and 

15  (B)  any  sale  or  dispensing  of  a  drug,  de- 

16  vice,  equipment,  or  other  health  care  related 

17  item  to  an  individual,  or  for  the  use  of  an  indi- 

18  vidual,  pursuant  to  a  prescription. 

19  (9)    Health    care    provider. — The  term 

20  "health  care  provider"  means  a  person  who,  with  re- 

21  spect  to  a  specific  item  of  protected  health  informa- 

22  tion,  receives,  creates,  uses,  maintains,  or  discloses 

23  the  information  while  acting  in  whole  or  in  part  in 

24  the  capacity  of — 
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1  (A)  a  person  who  is  licensed,  certified,  reg- 

2  istered,  or  otherwise  authorized  by  Federal  or 

3  State  law  to  provide  an  item  or  service  that 

4  constitutes  health  care  in  the  ordinary  course  of 

5  business,  or  practice  of  a  profession; 

6  (B)  a  Federal  or  State  program  that  di- 

7  rectly  provides  items  or  services  that  constitute 

8  health  care  to  beneficiaries;  or  % 

9  (C)  an  officer  or  employee  or  agent  of  a 

10  person  described  in  subparagraph  (A)  or  (B) 

11  who  is  engaged  in  the  provision  of  health  care 

12  or  who  uses  health  information. 

13  (10)  Health  or  life  insurer. — The  term 

14  "health  or  hfe  insurer"  means  a  health  insurance 

15  issuer  (as  defined  in  section  9805(b)(2)  of  the  Inter- 

16  nal  Revenue  Code  of  1986)  or  a  life  insurance  com- 

17  pany  (as  defined  in  section  816  of  such  Code)  and 

18  includes  the  employees  and  agents  of  such  a  person. 

19  (11)  Health  oversight  agency. — The  term 

20  "health  oversight  agency" — 

21  (A)  means  a  person  who — 

22  *  (i)  performs  or  oversees  the  perform- 

23  ance  of  an  assessment,  investigation,  or 

24  prosecution  relating  to  compliance  with 

25  legal  or  fiscal  standards  relating  to  health 
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1  '  care  fraud  or  fraudulent  claims  regarding 

2  health  care,  health  services  or  equipment, 

3  or  related  activities  and  items;  and 

4  (ii)  is  a  public  executive  branch  agen- 

5  cy,  acting  on  behalf  of  a  public  executive 

6  branch  agency,  acting  pursuant  to  a  re- 

7  '  quirement  of  a  public  executive  branch 

8  agency,  or  carrying  out  activities  under  a 

9  ?  Federal  or  State  law  governing  an  assess- 

10  ment,  evaluation,  determination,  investiga- 

11  tion,  or  prosecution  described  in  clause  (i); 

12  and 

13  (B)  includes  the  employees  and  agents  of 

14  such  a  person. 

15  '  (12)  Health  plan. — The  term  "health  plan" 

16  means  any  health  insurance  plan,  including  any  hos- 

17  pital  or  medical  service  plan,  dental  or  other  health 

18  service  plan  or  health  maintenance  organization 

19  plan,  or  other  program  providing  or  arranging  for 

20  the  provision  of  health  benefits,  whether  or  not  fund- 

21  ed  through  the  purchase  of  insurance.  The  term  in- 

22  eludes  employee  welfare  benefit  plans  and  group 

23  plans  (as  defined  in  sections  3  and  607  of  the  Em- 

24  ployee  Retirement  Income  Security  Act  of  1974  (29 

25  U.S.C.  1002  and  1167)). 
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1  (13)  Health  researcher. — The  term  "health 

2  researcher"  means  a  person  who,  with  respect  to  a 

3  specific  item  of  protected  health  information,  re- 

4  ceives  the  information — 

5  (A)  pursuant  to  section  210  (relating  to 

6  health  research);  or 

7  (B)  while  acting  in  whole  or  in  part  in  the 

8  capacity  of  an  officer,  employee,  or  agent  of  a 

9  person  who  receives  the  information  pursuant 

10  to  such  section. 

11  (14)  Law  enforcement  inquiry. — The  term 

12  "law  enforcement  inquiiy"  means  a  lawful  executive 

13  branch  investigation  or  official  proceeding  inquiring 

14  into  a  violation  of,  or  failure  to  comply  with,  any 

15  criminal  or  civil  statute  or  any  regulation,  rule,  or 

16  order  issued  pursuant  to  such  a  statute. 

17  (15)  Office  of  health  information  pri- 

18  VACY. — The  term  "Office  of  Health  Information  Pri- 

19  vacy"  means  the  Office  of  Health  Information  Pri- 

20  vacy  designated  under  section  301. 

21  (16)  Person. — The  term  "person"  means  a 

22  government,  governmental  subdivision  of  an  execu- 

23  tive  branch  agency  or  authority;  corporation;  com- 

24  pany;  association;  firm;  partnership;  society;  estate; 
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1  .  J     trust;  joint  venture;  individual;  individual  represent- 

2  ative;  tribal  government;  and  any  other  legal  entity. 

3  (17)  Protected  health  information. — 

4  (A)  In  general. — The  term  "protected 

5  health  information"  means  any  information,  in- 

6  eluding  genetic  information,  demographic  infor- 

7  mation,  and  tissue  samples  collected  from  an 

8  individual,  whether  oral  or  recorded  in  any  form 

9  or  medium,  that — 

10  (i)  is  created  or  received  by  a  health 

11  ;  care  provider,  health  researcher,  health 

12  plan,  health  oversight  agency,  public  health 

13  .  authority,  employer,  health  or  life  insurer, 

14  school  or  university;  and 

15  .  (ii)(I)  relates  to  the  past,  present,  or 

16  future  physical  or  mental  health  or  condi- 

17  tion  of  an  individual  (including  individual 

18  V.  cells  and  their  components),  the  provision 

19  of  health  care  to  an  individual,  or  the  past, 

20  ■  present,  or  future  payment  for  the  provi- 

21  '    sion  of  health  care  to  an  individual;  and 

22  ^  .  .       '  .      (II)  (aa)  identifies  an  individual;  or 

23  (bb)  with  respect  to  which  there  is  a 

24  reasonable  basis  to  believe  that  the  infor- 
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1  mation  can  be  used  to  identify  an  individ- 

2  ual;  and 

3  (B)  Decryption  key. — The  term  "pro- 

4  tected  health  information"  includes  any  infor- 

5  mation  described  in  paragraph  (5). 

6  (18)  Public  health  authority. — The  term 

7  "public  health  authority"  means  an  authority  or  in- 

8  strumentality  of  the  United  States,  a  tribal  govern- 

9  ment,  a  State,  or  a  political  subdivision  of  a  State 

10  that  is — 

11  (A)  primarily  responsible  for  public  health 

12  matters;  and 

13  (B)  primarily  engaged  in  activities  such  as 

14  injury  reporting,  public  health  surveillance,  and 

15  public  health  investigation  or  intervention. 

16  (19)  Re-identify. — The  term  "re-identify", 

17  when  used  with  respect  to  de-identified  health  infor- 

18  mation,  means  an  attempt,  successful  or  otherwise, 

19  to  ascertain — 

20  (A)  the  identity  of  the  individual  who  is 

21  the  subject  of  such  information;  or 

22  (B)  the  decryption  key  with  respect  to  the 

23  information  (when  undertaken  with  knowledge 

24  that  such  key  would  allow  for  the  identification 
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1  of  the  individual  who  is  the  subject  of  such  in- 

2  formation). 

3  •  (20)    School   or   university. — The  term 

4  "school  or  university"  means  an  institution  or  place 

5  for  instruction  or  education,  including  an  elementary 

6  school,  secondary  school,  or  institution  of  higher 

7  learning,  a  college,  or  an  assemblage  of  colleges 

8  united  under  one  corporate  organization  or  govern- 

9  ment.  , 

10  (21)     Secretary. — The    term  "Secretary" 

1 1  means  the  Secretary  of  Health  and  Human  Services. 

12  (22)  State. — The  term  "State"  includes  the 

13  District  of  Columbia,  Puerto  Rico,  the  Virgin  Is- 

14  lands,  Guam,  American  Samoa,  and  the  Northern 

15  Mariana  Islands. 

16  (23)     To     THE     MAXIMUM     EXTENT  PRAC- 

17  TICABLE. — The  term  "to  the  maximum  extent  prac- 

18  ticable"  means  the  level  of  compliance  that  a  reason- 

19  able  person  would  deem  technologically  feasible  so 

20  long  as  such  feasibility  is  periodically  evaluated  in 

21  light  of  scientific  advances.  :  ■ 

22  (24)  Writing. — The  term  "writing"  means 

23  writing  in  either  a  paper-based  or  computer-based 

24  form,  including  electronic  and  digital  signatures. 
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1  TITLE  I— INDIVIDUALS'  RIGHTS 

2  Subtitle  A— Access    to  Protected 

3  Health  Information  by  Subjects 

4  of  the  Information 

5  SEC.   101.   INSPECTION  AND   COPYING   OF  PROTECTED 

6  HEALTH  INFORMATION. 

7  (a)  Right  of  Individual. — 

8  (1)   In   generai^. — health   care  provider, 

9  health  plan,  employer,  health  or  life  insurer,  school, 

10  or  university,  or  a  person  acting  as  the  agent  of  any 

11  such  person,  shall  permit  an  individual  who  is  the 

12  subject  of  protected  health  information,  or  the  indi- 

13  vidual's  designee,  to  inspect  and  copy  protected 

14  health  information  concerning  the  individual,  includ- 

15  ing  records  created  under  sections  102,  112,  202, 

16  203,  208,  and  211,  that  such  person  maintains. 

17  (2)  Procedures  and  fees. — person  de- 

18  scribed  in  paragraph  (1)  may  set  forth  appropriate 

19  procedures  to  be  followed  for  inspection  and  copying 

20  under  such  paragi^aph  and  may  require  an  individual 

21  to  pay  fees  associated  with  such  inspection  and  copy- 

22  ing  in  an  amount  that  is  not  in  excess  of  the  actual 

23  costs  of  providing  such  copying.  Such  fees  may  not 

24  be  assessed  where  such  an  assessment  would  have 

25  the  effect  of  inhibiting  an  individual  from  gaining 
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1  access  to  the  information  described  in  paragi'aph 

2  (1).  : 

3  (b)  Deadline. — person  described  in  subsection 

4  (a)(1)  shall  comply  with  a  request  for  inspection  or  copy- 

5  ing  of  protected  health  information  under  this  section  not 

6  later  than  15  business  days  after  the  date  on  which  the 

7  person  receives  the  request. 

8  (c)  Rules  Governing  Agents. — person  acting  as 

9  the  agent  of  a  person  described  in  subsection  (a)  shall  pro- 

10  vide  for  the  inspection  and  copying  of  protected  health  in- 

1 1  formation  if — 

12  (1)  the  protected  health  information  is  retained 

13  by  the  agent;  and 

14  (2)  the  agent  has  been  asked  by  the  person  in- 

15  volved  to  fulfill  the  requirements  of  this  section. 

16  (d)  Special  Rule  Relating  to  Ongoing  Clinical 

17  Trials. — ^With  respect  to  protected  health  information 

18  that  is  created  as  part  of  an  individual's  participation  in 

19  an  ongoing  clinical  trial,  access  to  the  information  shall 

20  be  provided  consistent  with  the  individual's  agreement  to 

21  participate  in  the  clinical  trial. 

22  SEC.  102.  SUPPLEMENTS  TO  PROTECTED  HEALTH  INFOR- 

23  MATION. 

24  (a)  In  General. — Not  later  than  45  days  after  the 

25  date  on  which  a  health  care  provider,  health  plan,  em- 
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1  ployer,  health  or  hfe  insurer,  school,  or  university,  or  a 

2  person  acting  as  the  agent  of  any  such  person,  receives 

3  from  an  individual  a  request  in  writing  to  supplement  pro- 

4  tected  health  information  concerning  the  individual,  such 

5  person —  , 


6  (1)  shall  add  the  supplement  requested  to  the 

7  information; 

8  (2)  shall  inform  the  individual  that  the  supple- 

9  ment  has  been  made;  and 

10  (3)  shall  make  reasonable  efforts  to  inform  any 

11  person  to  whom  the  portion  of  the  unsupplemented 

12  information  was  previously  disclosed,  of  any  sub- 

13  stantive  supplement  that  has  been  made.  : 

14  (b)  Refusal  To  Supplement. — If  a  person  de- 

15  scribed  in  subsection  (a)  declines  to  make  the  supplement 

16  requested  under  such  subsection,  the  person  shall  inform 

17  the  individual  in  writing  of — 

18  (1)  the  reasons  for  declining  to  make  the  sup- 

19  plement;  v« 

20  (2)  any  procedures  for  further  review  of  the  de- 

21  dining  of  such  supplement;  and 

22  (3)  the  individual's  right  to  file  with  the  person 

23  a  concise  statement  setting  forth  the  requested  sup- 

24  plement  and  the  individual's  reasons  for  disagreeing 

25  with  the  dechning  person  and  the  individual's  right 
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1  to  include  a  copy  of  this  refusal  in  his  or  her  health 

2  record. 

3  (c)  Statement  of  Disagreement. — ^If  an  indi\ad- 

4  ual  has  filed  with  a  person  a  statement  of  disagreement 

5  under  subsection  (b)(3),  the  person,  in  any  subsequent  dis- 

6  closure  of  the  disputed  portion  of  the  information — 

7  ■      (1)  shall  include,  at  the  individual's  request,  a 

8  copy  of  the  individual's  statement;  and 

9  (2)  may  include  a  concise  statement  of  the  rea- 

10  sons  for  not  making  the  requested  supplement. 

1 1  (d)  Rules  Governing  Agents. — person  acting  as 

12  the  agent  of  a  person  described  in  subsection  (a)  shall  not 

13  be  required  to  make  a  supplement  to  protected  health  in- 

14  formation,  except  where — 

15  (1)  the  protected  health  information  is  retained 

16  by  the  agent;  and  ■ 

17  (2)  the  agent  has  been  asked  by  such  person  to 

18  fulfill  the  requirements  of  this  section. 

19  SEC.  103.  NOTICE  OF  PRIVACY  PRACTICES. 

20  (a)  Preparation  of  Written  Notice. — health 

21  care  provider,  health  plan,  health  oversight  agency,  public 

22  health  authority,  employer,  health  or  life  insurer,  school, 

23  or  university,  or  a  person  acting  as  the  agent  of  any  such 

24  person,  shall  prepare  a  \\Titten  notice  of  the  privacy  prac- 
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1  tices  of  the  person  that  provides  information  with  respect 

2  to  the  following: 


3  (1)  The  procedures  for  an  individual  to  author- 

4  ize  disclosures  of  protected  health  information,  and 

5  to  object  to,  modify,  and  revoke  such  authorizations. 

6  (2)  The  right  of  an  individual  to  inspect,  copy, 

7  and  supplement  the  protected  health  information. 

8  (3)  The  right  of  an  individual  not  to  have  em- 

9  ployment  or  the  receipt  of  services  conditioned  upon 

10  the  execution  by  the  individual  of  an  authorization 

11  for  disclosure. 

12  (4)  A  description  of  the  categories  or  types  of 

13  employees,  by  general  category  or  by  general  job  de- 

14  scription,  who  have  access  to  or  use  of  protected 

15  health  information  within  the  person.  ' 

16  (5)  A  simple,  concise  description  of  any  infor- 

17  mation  systems  used  to  store  or  transmit  protected 

18  health  information,  including  a  description  of  any 

19  linkages  made  with  other  electronic  systems  or  data- 

20  bases  outside  the  person. 

21  (6)  The  right  of  the  individual  to  request  seg- 

22  regation  of  protected  health  information,  and  to  re- 

23  strict  the  use  of  such  information  by  employees, 

24  agents,  and  contractors  of  a  person. 
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1  (7)  The  circumstances  under  which  the  infor- 

2  mation  may  be  used  or  disclosed  without  an  author- 

3  ization  executed  by  the  individual. 

4  ,  (8)  A  statement  that  an  individual  may  elect  to 

5  pay  for  health  care  from  the  individual's  own  funds 

6  and  information  on  the  right  of  such  an  individual 

7  to  elect  for  identifying"  information  not  to  be  dis- 

8  closed  to  anyone  other  than  health  care  providers, 

9  unless  such  disclosure  is  required  by  mandatory  re- 

10  porting  requirements  or  other  similar  information 

1 1  collection  duties  required  by  law. 

12  (b)  Provision  and  Posting  of  Written  No- 

13  TICE. — 

14  (1)  Provision. — person  described  in  sub- 

15  section  (a)  shall  provide  a  copy  of  the  written  notice 

16  of     privacy     practices     required     under  such 

17  subsection — 

18  (A)  at  the  time  an  authorization  is  sought 

19  for  disclosure  of  protected  health  information; 

20  and 

21  (B)  upon  the  request  of  an  individual. 

22  (2)  Posting. — ^A  person  described  in  subsection 

23  (a)  shall  post,  in  a  clear  and  conspicuous  manner,  a 

24  brief  summary  of  the  privacy  practices  of  the  person. 
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1  (c)  Model  Notice. — The  director  of  the  Office  of 

2  Health  Information  Privacy,  after  notice  and  opportunity 

3  for  pubhc  comment,  shall  develop  and  disseminate  model 

4  notices  of  privacy  practices,  and  model  summary  notices 

5  for  posting,  for  use  under  this  section.  Use  of  such  a  model 

6  notice  shall  be  deemed  to  satisfy  the  requirements  of  this 

7  section. 

8  Subtitle  B — Establishment  of 

9  Safeguards 

10  SEC.  111.  ESTABLISHMENT  OF  SAFEGUARDS. 

11  (a)  In  General. — health  care  provider,  health 

12  plan,  health  oversight  agency,  public  health  authority,  em- 

13  ployer,  health  researcher,  law  enforcement  official,  health 

14  or  life  insurer,  school,  or  university,  or  a  person  acting 

15  as  the  agent  of  any  such  person,  shall  establish  and  main- 

16  tain  appropriate  administrative,  organizational,  technical, 

17  and  physical  safeguards  and  procedures  to  ensure  the  con- 

18  fidentiality,  security,  accuracy,  and  integrity  of  protected 

19  health  information  created,   received,  obtained,  main- 

20  tained,  used,  transmitted,  or  disposed  of  by  such  person. 

21  (b)  Factors  To  Be  Considered. — The  policies  and 

22  safeguards  under  subsection  (a)  shall  ensure  that — 

23  (1)  protected  health  information  is  used  or  dis- 

24  closed  only  when  necessary; 
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1  (2)  the  categories  of  personnel  who  will  have  ac- 

2  cess  to  protected  health  information  are  identified; 

3  and.  ,  . 

4  (3)  the  feasibility  of  limiting  access  to  protected 

5  health  information  is  considered. 

6  (c)  Model  Guidelines. — The  Secretary,  in  con- 

7  sultation  with  the  Director  of  the  Office  of  Health  Infor- 

8  mation  Privacy  appointed  under  section  301,  after  notice 

9  and  opportunity  for  pubhc  comment,  shall  develop  and  dis- 

10  seminate  model  guidelines  for  the  establishment  of  safe- 

11  g-uards  and  procedures  for  use  under  this  section,  such 

12  as,  where  appropriate,  individual  authentication  of  uses  of 

13  computer  systems,  access  controls,  audit  trails,  encryption, 

14  physical  security,  protection  of  remote  access  points  and 

15  protection  of  external  electronic  communications,  periodic 

16  security  assessments,  incident  reports,  and  sanctions.  The 

17  director  shall  update  and  disseminate  the  guidelines,  as 

18  appropriate,  to  take  advantage  of  new  technologies. 

19  SEC.  112.  ACCOUNTING  FOR  DISCLOSURES. 

20  (a)  Ix  General. — health  care  provider,  health 

21  plan,  health  oversight  agency,  public  health  authority,  em- 

22  ployer,  health  researcher,  law  enforcement  official,  health 

23  or  life  insurer,  school,  or  university,  or  a  person  acting 

24  as  the  agent  of  any  such  person,  shall  establish  and  main- 

25  tain,  with  respect  to  any  protected  health  information  dis- 
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1  closure  that  is  not  related  to  payment  or  treatment,  a 

2  record  of  the  disclosure  in  accordance  with  regulations 

3  issued  by  the  Secretary  in  consultation  with  the  director 

4  of  the  Office  of  Health  Information  Privacy. 

5  (b)  Maintenance  op  Record. — record  estab- 

6  lished  under  subsection  (a)  shall  be  maintained  for  not  less 

7  than  7  years.  ~ 

8  (c)  Electronic  Records. — health  care  provider, 

9  health  plan,  health  oversight  agency,  public  health  author- 

10  ity,  employer,  health  researcher,  law  enforcement  official, 

11  health  or  life  insurer,  school,  or  university,  or  a  person 

1 2  acting-  as  the  agent  of  any  such  person,  shall,  to  the  maxi- 

13  mum  extent  practicable,  maintain  an  accessible  electronic 

14  record  concerning  each  access,  or  attempt  to  access, 

15  whether  authorized  or  unauthorized,  successful  or  unsuc- 

16  cessfiil,  protected  health  information  maintained  by  such 

17  person  in  electronic  form.  The  record  shall  include  the 

18  identity  of  the  specific  individual  accessing  or  attempting 

19  to  gain  such  access  (or  a  way  to  identify  that  individual 

20  or  information  helpful  in  determining  the  identity  of  such 

21  individual),  information  sufficient  to  identify  the  protected 

22  health  information  sought  or  accessed,  and  other  appro- 

23  priate  information.  ' 
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1  TITLE  II— RESTRICTIONS  ON 

2  USE  AND  DISCLOSURE 

3  SEC.  201.  GENERAL  RULES  REGARDING  USE  AND  DISCLO- 

4  SURE. 

5  (a)  Prohibition. — 

6  (1)  General  rule. — health  care  provider, 

7  health  plan,  health  oversight  agency,  public  health 

8  authority,  employer,  health  researcher,  law  enforce- 

9  ment  official,  health  or  life  insurer,  school,  or  univer- 

10  sity  may  not  disclose  or  use  protected  health  infor- 

1 1  mation  except  as  authorized  under  this  Act. 

12  (2)  Rule  op  construction. — Disclosure  of 

13  de-identified  health  information  shall  not  be  con- 

14  strued  as  a  disclosure  of  protected  health  informa- 

15  tion. 

16  (b)  Scope  OF  Disclosure. — 

17  (1)  In  general. — disclosure  of  protected 

18  health  information  under  this  title  shall  be  limited  to 

19  the  minimum  amount  of  information  necessary  to 

20  accomplish  the  purpose  for  which  the  disclosure  is 

21  made. 

22  (2)  Determination. — The  determination  as  to 

23  what  constitutes  the  minimum  disclosure  possible  for 

24  purposes  of  paragraph  (1)  shall  be  made  by  a  health 

25  care  provider.  •  ?    ■                      ;  . 
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1  (c)  Use  or  Disclosure  for  Purpose  Only. — 

2  recipient  of  information  pursuant  to  this  title  may  use  or 

3  disclose  such  information  solely  to  carry  out  the  purpose 

4  for  which  the  information  was  disclosed.  i 

5  (d)  No  General  Requirement  To  Disclose. — 

6  Nothing  in  this  title  permitting  the  disclosure  of  protected 

7  health  information  shall  be  construed  to  require  such  dis- 

8  closure. 

9  (e)  Identification  of  Disclosed  Information  as 

10  Protected  Health  Information. — Protected  health 

1 1  information  disclosed  pursuant  to  this  title  shall  be  clearly 

12  identified  as  protected  health  information  that  is  subject 

13  to  this  Act.  •    -  ;■ 

14  (f)  Disclosure  by  Agents. — ^An  agent  of  a  person 

15  described  in  subsection  (a)(1),  who  receives  protected 

1 6  health  information  from  the  person  while  acting  within  the 

17  scope  of  the  agency,  shall  be  subject  to  this  title  to  the 

18  same  extent  as  the  person  and  for  the  duration  of  the  pe- 

19  riod  in  which  the  agent  holds  the  information. 

20  (g)  Creation  of  De-Identified  Information. — 

21  Notwithstanding  subsection  (c),  but  subject  to  the  other 

22  provisions  of  this  section,  a  person  described  in  subsection 

23  (a)(1)  may  disclose  protected  health  information  to  an  em- 

24  ployee  or  other  agent  of  the  person  for  purposes  of  creat- 

25  ing  de-identified  information.  .  i 
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1  (h)  Unauthorized  Use  or  Disclosure  op  the 

2  Decryption  Key. — The  unauthorized  disclosure  of  a 

3  deerj^tion  key  shall  be  deemed  to  be  a  disclosure  of  pro- 

4  tected  health  information.  The  unauthorized  use  of  a 

5  decrv'ption  key  or  de-identified  health  information  in  order 

6  to  identify  an  indi\ddual  is  deemed  to  be  disclosure  of  pro- 

7  tected  health  information. 

8  (i)  No  Warmer. — Except  as  provided  in  this  Act,  an 

9  authorization  to  disclose  personally  identifiable  health  in- 

10  formation  executed  by  an  individual  pursuant  to  section 

11  202  or  203  shall  not  be  construed  as  a  waiver  of  any  rights 

12  that  the  individual  has  under  other  Federal  or  State  laws, 

13  the  rules  of  evidence,  or  common  law. 

14  (j)  Depinitions. — For  purposes  of  this  title: 

15  (1)  In^stigative  or  law  enporcement  op- 

16  picer. — The  term  "investigative  or  law  enforcement 

17  officer"  means  any  officer  of  the  United  States  or  of 

18  a  State  or  political  subdivision  thereof,  who  is  em- 

19  powered  by  law  to  conduct  investigations  of,  or  to 

20  make  arrests  for,  criminal  offenses,  and  any  attor- 

21  ney  authorized  by  law  to  prosecute  or  participate  in 

22  the  prosecution  of  such  offenses.  ' 

23  (2)  Segregate. — The  term  "segregate"  means 

24  to  place  a  designated  subset  of  an  individuals  pro- 

25  tected  health  information  in  a  location  or  computer 
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1  file  that  is  separate  from  the  location  or  computer 

2  file  used  to  store  protected  health  information  and 

3  where  access  to  or  use  of  any  information  so  seg- 

4  regated  may  be  effectively  limited  to  those  persons 

5  who  are  authorized  by  the  individual  to  access  or  use 

6  such  information. 

7  (3)  Signed. — The  term  "signed"  refers  to  both 

8  signatures  in  ink  and  electronic  signatures,  and  the 

9  term  'Smtten"  refers  to  both  paper  and  computer- 

10  ized  formats. 

11  SEC.  202.  AUTHORIZATIONS  FOR  DISCLOSURE  OF  PRO- 

12  TECTED  HEALTH  INFORMATION  FOR  TREAT- 

13  MENT  AND  PAYMENT. 

14  (a)   Requirements  Relating  to  Employers, 

15  HEi\LTH  Pi^NS,  Health  or  Life  Insurers,  Unin- 

16  SURED  lNDmDU.\LS,  AND  PROVIDERS. — 

17  (1)  In  GENERAL. — To  satisfy  the  requirement 

18  under  section  201(a)(1),  an  employer,  health  plan, 

19  health  or  life  insurer,  or  health  care  provider  that 

20  seeks  to  disclose  protected  health  information  in  con- 

21  nection  with  treatment  or  payment  shall  obtain  an 

22  authorization  that  satisfies  the  requirements  of  this 

23  section.  The  authorization  may  be  a  single  author- 

24  ization. 
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1  (2)  Employers. — Every  employer  offering;  a 

2  health  plan  to  its  employees  shall,  at  the  time  of  an 

3  employee's  enrollment  in  the  health  plan,  obtain  a 

4  sigTied,  wTitten  authorization  that  is  a  legal,  in- 

5  formed  authorization  that  satisfies  the  requirements 

6  of  subsection  (b)  concerning  the  use  and  disclosure 
!               7  of  protected  health  information  for  treatment  or 

8  pa\Tnent  with  respect  to  each  individual  who  is  eligi- 

9  ble  to  receive  care  under  the  health  plan. 

!  10  (3)  Health  plans,  health  or  life  insur- 

1 1  ERS. — Every  health  plan  or  health  or  life  insurer  of- 

i  12  fei'ing   enrollment   to    individual    or  nonemployer 

13  groups  shall,  at  the  time  of  enrollment  in  the  plan 

14  or  insurance,  obtain  a  signed,  written  authorization 

15  that  is  a  legal,  informed  authorization  that  satisfies 

16  the  requirements  of  subsection  (b)  concerning  the 
I              17  use  and  disclosure  of  protected  health  information 

18  \\dth  respect  to  each  individual  who  is  eligible  to  re- 

19  ceive  care  under  the  plan  or  insurance. 

20  (4)  Uninsured. — ^An  originating  provider  pro- 

21  viding  health  care  in  other  than  a  network  plan  set- 

22  ting,  or  providing  health  care  to  an  uninsured  indi- 

23  vidual,  shall  obtain  a  signed,  written  authorization 

24  that  satisfies  the  requirements  of  subsection  (b)  to 

25  use  protected  health  information  in  providing  health 
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1  care  or  arranging'  for  health  care  from  other  provid- 

2  ers  or  seeking  pajonent  for  the  provision  of  health 

3  care  services. 

4  (5)  Providers. —  - 

5  (A)  In  general. — Every  health  care  pro- 

6  vider  providing  health  care  to  an  individual  who 

7  has  not  given  the  appropriate  authorization 

8  under  this  section  shall,  at  the  time  of  provid- 

9  ing  such  care,  obtain  a  signed,  written  author- 

10  ization  that  is  a  legal,  informed  authorization, 

11  that  satisfies  the  requirements  of  subsection 

12  (b),  concerning  the  use  and  disclosure  of  pro- 

13  tected  health  information  with  respect  to  such 

14  individual.  ''At 

15  (B)  Rule  of  construction. — Subpara- 

16  .  graph  (A)  shall  not  be  construed  to  preclude 

17  the  provision  of  health  care  to  an  individual 

18  who  has  not  given  appropriate  authorization 

19  prior  to  receipt  of  such  care  if —  <  *. 

20  (i)  the  health  care  provider  involved 

21  determines  that  such  care  is  essential;  and 

22  .      (ii)  the  individual  can  reasonably  be 

23  expected  to  sign  an  authorization  for  such 

24  •  care  when  appropriate.  . 
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1  (b)  Requirements  for  Individual  Authoriza- 

2  TION. — To  satisfy  the  requirements  of  this  subsection,  an 

3  authorization  to  disclose  protected  health  information — 

4  (1)  shall  identify,  by  general  job  description  or 

5  other  functional  description,  persons  authorized  to 

6  disclose  the  information; 

7  (2)  shall  describe  the  nature  of  the  information 

8  to  be  disclosed; 

9  ;  (3)  shall  identify,  by  general  job  description  or 

10  other  functional  description,  persons  to  whom  the  in- 

11  formation  is  to  be  disclosed,  including  individuals 

12  employed  by,  or  operating  within,  an  entity  to  which 

13  information  is  authorized  to  be  disclosed; 

14  (4)  shall  describe  the  purpose  of  the  disclosures; 

15  (5)  shall  permit  the  executing  individual  to  indi- 

16  cate  that  a  particular  individual  listed  on  the  author- 

17  ization  is  not  authorized  to  receive  protected  health 

18  information  concerning  the  individual,  except  as  pro- 

19  vided  for  in  subsection  (c)(3); 

20  (6)  shall  pro\ide  the  means  by  which  an  individ- 

21  ual  may  indicate  that  some  of  the  individual's  pro- 

22  tected  health  information  should  be  segregated  and 

23  to  what  persons  such  segregated  information  may  be 

24  disclosed;  v 
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1  (7)  shall  be  subject  to  revocation  by  the  individ- 

2  ual  and  indicate  that  the  authorization  is  valid  until 

3  revocation  by  the  individual  or  until  an  event  or  date 

4  specified;  and 

5  (8) (A)  shall  be— 

6  (i)  in  wi'iting',  dated,  and  signed  by  the  in- 

7  dividual;  or 

8  (ii)  in  electronic  form,  dated  and  authenti- 

9  cated  by  the  individual  using  an  authentication 

10  method  approved  by  the  Secretary;  and 

11  (B)  shall  not  have  been  revoked  under  subpara- 

12  graph  (A). 

13  (c)  Limitation  on  Authorizations. — 

14  (1)  In  general. — Subject  to  paragraphs  (2) 

15  and  (3),  a  person  described  in  subsection  (a)  who 

16  seeks  an  authorization  under  such  subsection  may 

17  not  condition  the  delivery  of  treatment  or  payment 

18  for  services  on  the  receipt  of  such  an  authorization. 

19  (2)  Right  to  require  self  payment. — If  an 

20  individual  has  refused  to  provide  an  authorization 

21  for  disclosure  of  administrative  billing  information  to 

22  a  person  and  such  authorization  is  necessary  for  a 

23  health  care  provider  to  receive  payment  for  services 

24  delivered,  the  health  care  provider  may  require  the 
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1  indi^ddual  to  pay  from  their  own  funds  for  the  serv- 

2  ices.  ' 

3  (3)  Right  of  health  care  provider  to  re- 

4  quire   authorization    for   treatment  pur- 

5  POSES. — If  a  health  care  provider  that  is  seeking  an 

6  authorization  for  disclosure  of  an  individual's  pro- 

7  tected  health  information  believes  that  the  disclosure 

8  of  such  information  is  necessar\^  so  as  not  to  endan- 

9  ger  the  health  or  treatment  of  the  individual,  the 

10  health  care  provider  may  condition  the  provision  of 

11  services  upon  the  execution  of  the  authorization  by 

12  the  indi\ddual. 

13  (d)  Model  Authorizations. — The  Secretary,  after 

14  notice  and  opportunity  for  pubhc  comment,  shall  develop 

15  and  disseminate  model  wTitten  authorizations  of  the  type 

16  described  in  this  section  and  model  statements  of  the  limi- 

17  tations  on  authorizations.  Any  authorization  obtained  on 

18  a  model  authorization  form  under  section  202  developed 

19  by  the  Secretary  pursuant  to  the  preceding-  sentence  shall 

20  be  deemed  to  satisfy  the  requirements  of  this  section. 

21  (e)  Segregation  of  Files. — ^A  person  described  in 

22  subsection  (a)(1)  shall  comply,  to  the  maximum  extent 

23  practicable,  with  the  request  of  an  indi\idual  who  is  the 

24  subject  of  protected  health  information — 
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1  (1)  to  segregate  any  type  or  amount  of  pro- 

2  tected  health  information,  other  than  administrative 

3  bilhng  information,  held  by  the  entity;  and 

4  (2)  to  hmit  the  use  or  disclosure  of  the  seg- 

5  related  health  information  within  the  entity  to  those 

6  persons  specifically  designated  by  the  subject  of  the 

7  protected  health  information. 

8  (f)  Revocation  op  Authorization. — 

9  (1)  In  general. — ^An  individual  may  in  writing 

10  revoke  or  amend  an  authorization  under  this  section 

11  at  any  time,  unless  the  disclosure  that  is  the  subject 

12  of  the  authorization  is  required  to  effectuate  pay- 

13  ment  for  health  care  that  hap  been  provided  to  the 

14  individual. 

15  (2)  Health  plans. — ^With  respect  to  a  health 

16  plan,  the  authorization  of  an  individual  is  deemed  to 

17  be  revoked  at  the  time  of  the  cancellation  or  non-re- 

18  newal  of  enrollment  in  the  health  plan,  except  as 

19  may  be  necessary  to  complete  plan  administration 

20  and  payment  requirements  related  to  the  individual's 

21  period  of  enrollment. 

22  (3)  Actions. — ^An  individual  may  not  maintain 

23  an  action  against  a  person  for  disclosure  of  person- 

24  ally  identifiable  health  information — 
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1  (A)  if  the  disclosure  was  made  based  on  a 

2  good  faith  reliance  on  the  individual's  author- 

3  ization  under  this  section  at  the  time  disclosure 

4  L  i-      was  made; 

5  ,  (B)  in  a  case  in  which  the  authorization  is 

6  :  i-: '      revoked,  if  the  disclosing  person  had  no  actual 

7  or  constructive  notice  of  the  revocation;  or 

8  :     (C)  if  the  disclosure  was  for  the  purpose  of 

9  protecting  another  individual  from  imminent 

10  physical  harm,  and  is  authorized  under  section 

11  204. 

12  (g)  Record  of  Individual's  Authorizations  and 


13  Revocations. — Each  person  collecting  or  storing  person- 

1 4  ally  identifiable  health  information  shall  maintain  a  record 

15  for  a  period  of  7  years  of  each  authorization  of  an  individ- 

16  ual  and  any  revocation  thereof,  and  such  record  shall  be- 

17  come  part  of  the  personally  identifiable  health  information 

18  concerning  such  individual. 

19  (h)  Rule  of  Construction. — ^Authorizations  for 

20  the  disclosure  of  protected  health  information  for  treat- 

21  ment  or  payment  shall  not  authorize  the  disclosure  of  such 

22  information  by  an  individual  with  the  intent  to  sell,  trans- 

23  fer,  or  use  protected  health  information  for  commercial  ad- 

24  vantage  other  than  the  revenues  directly  derived  from  the 

25  provision  of  health  care  to  that  individual.  For  such  disclo- 
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1  sures,  a  separate  authorization  that  satisfies  the  require- 

2  ments  of  section  203  is  required. 

3  SEC.  203.  AUTHORIZATIONS  FOR  DISCLOSURE  OF  PRO- 

4  TECTED  HEALTH  INFORMATION  OTHER  THAN 

5  FOR  TREATMENT  OR  PAYMENT. 

6  (a)  In  General. — To  satisfy  the  requirement  under 

7  section  201(a)(1),  a  health  care  provider,  health  plan, 

8  health  oversight  agency,  public  health  authority,  employer, 

9  health  researcher,  law  enforcement  official,  health  or  life 

10  insurer,  school,  or  university  that  seeks  to  disclose  pro- 

1 1  tected  health  information  for  a  purpose  other  than  treat- 

12  ment  or  payment  may  obtain  an  authorization  that  satis- 

13  fies  the  requirements  of  subsections  (b)  and  (g)  of  section 

14  202.  Such  an  authorization  under  this  section  shall  be  sep- 

15  arate  from  an  authorization  provided  under  section  202. 


16  (b)  Limitation  ON  Authorizations. — 

17  (1)  In  general. — person  subject  to  section 

18  202  may  not  condition  the  delivery  of  treatment,  or 

19  pa>Tnent  for  services,  on  the  receipt  of  an  authoriza- 

20  tion  described  in  this  section. 

21  (2)  Requirement  for  separate  authoriza- 

22  tion. — person  subject  to  section  202  may  not  dis- 

23  close  protected  health  information  to  any  employees 

24  or  agents  who  are  responsible  for  making  employ- 

25  ment,  work  assignment,  or  other  personnel  decisions 
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1  with  respect  to  the  subject  of  the  information  with- 

2  out  a  separate  authorization  permitting  such  a  dis- 

3  closure. 

4  (c)  Model  Authorizations. — The  Secretary,  after 

5  notice  and  opportunity  for  pubhc  comment,  shall  develop 

6  and  disseminate  model  written  authorizations  of  the  type 

7  described  in  subsection  (a).  Any  authorization  obtained  on 

8  a  model  authorization  form  under  this  section  developed 

9  bv  the  Secretarv  shall  be  deemed  to  meet  the  authorization 

10  requirements  of  this  section. 

11  (d)    Requirement    To    Release  Protected 

12  Health  Inforiviation  to  Coroners  and  Medical  Ex- 

13  AMINERS. — 


14 

(1)  In  general. — ^Wlien  a  Coroner  or  Medical 

15 

Examiner  or  their  duly  appointed  deputies  seek  pro- 

16 

tected  health  information  for  the  purpose  of  inquiry 

17 

into  and  determination  of,  the  cause,  manner,  and 

18 

circumstances  of  an  individual's  death,  the  health 

19 

care  provider,  health  plan,  health  oversight  agency, 

20 

public  health  authority,  employer,  health  researcher, 

21  ; 

law  enforcement  officer,  health  or  life  insurer,  school 

22 

or  university  involved  shall  provide  that  individual's 

23 

protected  health  information  to  the  Coroner  or  Medi- 

24 

cal  Examiner  or  to  the  duly  appointed  deputies  with- 

25 

out  undue  delay.  ; 
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1  (2)  Production  op  additional  informa- 

2  TION. — If  a  Coroner  or  Medical  Examiner  or  their 

3  duly  appointed  deputies  receives  health  information 

4  from  an  entity  referred  to  in  paragraph  (1),  such 

5  health  information  shall  remain  as  protected  health 

6  information  unless  the  health  information  is  at- 

7  tached  to  or  otherwise  made  a  part  of  a  Coroner's 

8  or  Medical  Examiner's  official  report,  in  which  case 

9  it  shall  no  longer  be  protected.  .  -  '{V 

10  (3)  Exemption. — Health  information  attached 

11  to  or  otherwise  made  a  part  of  a  Coroner's  or  Medi- 

12  cal  Examiner's  official  report,  shall  be  exempt  from 

13  the  provisions  of  this  Act  except  as  provided  for  in 

14  this  subsection.  .  *  , » 

15  (4)  Reimbursement. — Coroner  or  Medical 

16  Examiner  may  require  a  person  to  reimburse  their 

17  Office  for  the  reasonable  costs  associated  with  such 

18  inspection  or  copying.  ■  Sir 

19  (e)  Revocation  or  Amendment  op  Authoriza- 

20  TION. — ^An  individual  may,  in  writing,  revoke  or  amend  an 

21  authorization  under  this  section  at  any  time. 

22  (f)  Actions. — ^An  individual  may  not  maintain  an  ac- 

23  tion  against  a  person  for  disclosure  of  protected  health 

24  information —  .  : 
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1  (1)  if  the  disclosure  was  made  based  on  a  good 

2  faith  rehance  on  the  individual's  authorization  under 

3  this  section  at  the  time  disclosure  was  made; 

4  (2)  in  a  case  in  which  the  authorization  is  re- 

5  voked,  if  the  disclosing  person  had  no  actual  or  con- 

6  structive  notice  of  the  revocation;  or 

7  (3)  if  the  disclosure  was  for  the  purpose  of  pro- 

8  tecting  another  individual  from  imminent  physical 

9  harm,  and  is  authorized  under  section  204. 

10  SEC.  204.  EMERGENCY  CIRCUMSTANCES. 

11  (a)  General  Rule. — In  the  event  of  a  threat  of  im- 


12  minent  physical  or  mental  harm  to  the  subject  of  protected 

13  health  information,  any  person  may,  in  order  to  allay  or 

14  remedy  such  threat,  disclose  protected  health  information 

15  about  such  subject  to  a  health  care  practitioner,  health 

16  care  facility,  law  enforcement  authority,  or  emergency 

17  medical  personnel. 


18  (b)  Harm  to  Others. — ^Any  person  may  disclose 

19  protected  health  information  about  the  subject  of  the  in- 

20  formation  where —  ;  ^ 

21  (1)  such  subject  has  made  an  identifiable  threat 

22  of  serious  injury  or  death  with  respect  to  an  identifi- 

23  able  individual  or  group  of  individuals;    /      ;  ■ 

24  (2)  the  subject  has  the  ability  to  carry  out  such 

25  threat;  and 
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1  (3)  the  release  of  such  information  is  necessar}^ 

2  to  prevent  or  significantly  reduce  the  possibility  of 

3  such  threat  being  carried  out. 

4  SEC,  205.  PUBLIC  HEALTH. 

5  (a)  In  General. — health  care  provider,  health 


6  plan,  public  health  authority,  employer,  health  or  life  in- 

7  surer,  law  enforcement  official,  school,  or  university  may 

8  disclose  protected  health  information  to  a  public  health  au- 

9  thority  or  other  person  authorized  by  public  health  law 

10  when  receipt  of  such  information  by  the  authority  or  other 

1 1  person — 


12  (1)  relates  directly  to  a  specified  pubhc  health 

1 3  purpose; 

14  (2)  is  reasonably  likely  to  achieve  such  purpose; 

15  and 

16  (3)  is  intended  for  a  purpose  that  cannot  be 

17  achieved  through  the  receipt  or  use  of  de-identified 

18  health  information. 

19  (b)  Public  Health  Purpose  Defined. — For  pur- 


20  poses  of  subsection  (a),  the  term  ''pubhc  health  purpose" 

21  means  a  population-based  activity  or  individual  effort,  au- 

22  thorized  by  law,  aimed  at  the  prevention  of  injuiy,  disease, 

23  or  premature  mortality,  or  the  promotion  of  health,  in  a 

24  community,  including — 
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1  (1)  assessing  the  health  needs  and  status  of  the 

2  community  through  pubhe  health  surveillance  and 

3  epidemiological  research;  . 

4  (2)  developing  public  health  poHcy; 

5  (3)  responding  to  public  health  needs  and  emer- 

6  gencies;  and  .  - 

7  (4)  any  other  activities  or  efforts  authorized  by 

8  law.        K  ,                      ^:    ;  ■ 

9  SEC.  206.  PROTECTION  AND  ADVOCACY  AGENCIES. 

10  Any  person  v^^ho  creates  protected  health  information 

11  or  receives  protected  health  information  under  this  title 

12  may  disclose  that  information  to  a  protection  and  advo- 

13  cacy  agency  established  under  part  C  of  title  I  of  the  De- 

14  velopmental  Disabihties  Assistance  and  Bill  of  Rights  Act 

15  (42  U.S.C.  6041  et  seq.)  or  under  the  Protection  and  Ad- 

16  vocacy  for  Mentally  111  Individuals  Act  of  1986  (42  U.S.C. 

17  10801  et  seq.)  when  such  agency  can  establish  that  there 

18  is  probable  cause  to  beheve  that  an  individual  who  is  the 

19  subject  of  the  protected  health  information  is  vulnerable 

20  to  abuse  and  neglect  by  an  entity  providing  health  or  social 

21  services  to  the  individual.    '..^  /■-:■:/•■■.,■  :^/--'y  ^  .I'i 

22  SEC.  207.  OVERSIGHT. 

23  (a)  In  General. — ^A  health  care  provider,  health 

24  plan,  employer,  law  enforcement  official,  health  or  life  in- 

25  surer,  public  health  authority,  health  researcher,  school  or 
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1  university  may  disclose  protected  health  information  to  a 

2  health  oversight  agency  to  enable  the  agency  to  perform 

3  a  health  oversight  function  authorized  by  law,  if — 

4  (1)  the  purpose  for  which  the  disclosure  is  to  be 

5  made  cannot  reasonably  be  accomplished  without 

6  protected  health  information;  ^ 

7  (2)  the  purpose  for  which  the  disclosure  is  to  be 

8  made  is  of  sufficient  importance  to  warrant  the  ef- 

9  feet  on,  or  the  risk  to,  the  privacy  of  the  individuals 

10  that  additional  exposure  of  the  information  might 

11  bring;  and 

12  (3)  there  is  a  reasonable  probability  that  the 

13  purpose  of  the  disclosure  will  be  accomplished. 

14  (b)    Use   and   Maintenance    op  Protected 

15  Health  Information. — health  oversight  agency  that 

16  receives  protected  health  information  under  this  section — 

17  (1)  shall  rely  upon  a  method  to  scramble  or 

18  otherwise  safeguard,  to  the  maximum  extent  prac- 

19  ticable,  the  identity  of  the  subject  of  the  protected 

20  health  information  in  all  work  papers  and  all  docu- 

21  ments  summarizing  the  health  oversight  activity; 

22  (2)  shall  maintain  in  its  records  only  such  infor- 

23  mation  about  an  individual  as  is  relevant  and  nec- 

24  essary  to  accomplish  the  purpose  for  which  the  pro- 

25  teeted  health  information  was  obtained;  i/f- 
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1  (3)  shall  maintain  such  information  securely 

2  and  limit  access  to  such  information  to  those  per- 

3  sons  with  a  le^timate  need  for  access  to  carry  out 

4  the  purpose  for  which  the  records  were  obtained; 

5  and  ' 

6  (4)  shall  remove  or  destroy  the  information  that 

7  allows  subjects  of  protected  health  information  to  be 

8  identified  at  the  earliest  time  at  which  removal  or 

9  destruction  can  be  accomplished,  consistent  with  the 

10  purpose  of  the  health  oversight  activity. 

11  (c)  Use  of  Protected  Health  Information  in 

12  Judicial  Proceedings. — 

13  (1)  In  general. —  The  disclosure  and  use  of 

14  protected  health  information  in  any  judicial,  admin- 

15  istrative,  court,  or  other  pubhc,  proceeding  or  inves- 

16  tigation  relating  to  a  health  oversight  activity  shall 

17  be  undertaken  in  such  a  manner  as  to  preserve  the 

18  confidentiality  and  privacy  of  individuals  who  are  the 

19  subject  of  the  information,  unless  disclosure  is  re- 

20  quired  by  the  nature  of  the  proceedings. 

21  (2)  Limiting  disclosure. — ^Whenever  disclo- 

22  sure  of  the  identity  of  the  subject  of  protected  health 

23  information  is  required  by  the  nature  of  the  proceed- 

24  ings,  or  it  is  impracticable  to  redact  the  identity  of 

25  such  individual,  the  agency  shall  request  that  the 
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1  presiding  judicial  or  administrative  officer  enter  an 

2  order  limiting  the  disclosure  of  the  identity  of  the 

3  subject  to  the  extent  possible,  including  the  redact- 

4  ing  of  the  protected  health  information  from  publicly 

5  disclosed  or  filed  pleadings  or  records. 

6  (d)  Authorization  by  a  Supervisor. — For  pur- 

7  poses  of  this  section,  the  individual  with  authority  to  au- 

8  thorize  the  oversight  function  involved  shall  provide  to  the 

9  disclosing  person  described  in  subsection  (a)  a  statement 

10  that  the  protected  health  information  is  being  sought  for 

11  a  legally  authorized  oversight  function, 

12  (e)  Use  in  Action  Against  Individuals. — Pro- 

13  tected  health  information  about  an  individual  that  is  dis- 

14  closed  under  this  section  may  not  be  used  in,  or  disclosed 

15  to  any  person  for  use  in,  an  administrative,  civil,  or  crimi- 

16  nal  action  or  investigation  directed  against  the  individual, 

17  unless  the  action  or  investigation  arises  out  of  and  is  di- 

1 8  rectly  related  to — 

19  (1)  the  receipt  of  health  care  or  payment  for 

20  health  care; 

21  (2)  a  fraudulent  claim  related  to  health;  or 

22  (3)  oversight  of  a  public  health  authority  or  a 

23  health  researcher. 
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1  SEC.  208.  DISCLOSURE  FOR  LAW  ENFORCEMENT  PUR- 

2  i  POSES. 

3  (a)  LA^Y  Enforcement  Access  to  Protected 

4  Health  Infor:\l^tion. — health  care  provider,  health 

5  researcher,  health  plan,  health  oversight  agency,  employer, 

6  health  or  life  insurer,  school,  university,  a  person  acting 

7  as  the  agent  of  any  such  person,  or  a  person  who  receives 

8  protected  health  information  pursuant  to  section  204,  may 

9  disclose  protected  health  information  to  an  investigative 

10  or  law  enforcement  officer  pursuant  to  a  warrant  issued 

1 1  under  the  Federal  Rules  of  Criminal  Procedure,  an  equiva- 

12  lent  State  warrant,  a  grand  juiy  subpoena,  or  a  court 

13  order  under  limitations  set  forth  in  subsection  (b). 

14  (b)  Requirements  for  Court  Orders  for  Ac- 

15  CESS  TO  Protected  Health  Information. — ^A  court 

16  order  for  the  disclosure  of  protected  health  information 

17  under  subsection  (a)  may  be  issued  by  any  court  that  is 

18  a  court  of  competent  jurisdiction  and  shall  issue  only  if 

19  the  investigative  or  law  enforcement  officer  submits  a  writ- 

20  ten  application  upon  oath  or  equivalent  affirmation  dem- 

21  onstrating  that  there  is  probable  cause  to  believe  that — 

22  (1)  the  protected  health  information  sought  is 

23  relevant  and  material  to  an  ongoing  criminal  inves- 

24  tigation,  except  in  the  case  of  a  State  government 

25  authority,  such  a  court  order  shall  not  issue  if  pro- 

26  hibited  by  the  law  of  such  State; 
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1  (2)  the  investigative  or  evidentiary  needs  of  the 

2  investigative  or  law  enforcement  officer  cannot  rea- 

3  sonably  be  satisfied  by  de-identified  health  informa- 

4  tion  or  by  any  other  information;  and 

5  (3)  the  law  enforcement  need  for  the  informa- 

6  tion  outweighs  the  privacy  interest  of  the  individual 

7  to  whom  the  information  pertains.  - 

8  (c)  Motions  To  Quash  or  Modify. — court 

9  issuing  an  order  pursuant  to  this  section,  on  a  motion 

10  made  promptly  by  the  health  care  provider,  health  re- 

11  searcher,  health  plan,  health  oversight  agency,  employer, 

12  health  or  life  insurer,  school,  university,  a  person  acting 

13  as  the  agent  of  any  such  person,  or  a  person  who  receives 

14  protected  health  information  pursuant  to  section  204,  may 

15  quash  or  modify  such  order  if  the  court  finds  that  informa- 

16  tion  or  records  requested  are  unreasonably  voluminous  or 

17  if  compliance  with  such  order  otherwise  would  cause  an 

18  unreasonable  burden  on  such  persons. 

19  (d)  Notice. — 

20  (1)  In  general. — Except  as  provided  in  para- 

21  graph  (2),  no  order  for  the  disclosure  of  protected 

22  health  information  about  an  individual  may  be 

23  issued  by  a  court  under  this  section  unless  prior  no- 

24  tice  of  the  application  for  the  order  has  been  served 

25  on  the  individual  and  the  individual  has  been  af- 
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1  forded  an  opportunity  to  oppose  the  issuance  of  the 

2  order. 

3  (2)  Notice  not  required. — ^An  order  for  the 

4  disclosure  of  protected  health  information  about  an 

5  indi\ddual  may  be  issued  without  prior  notice  to  the 

6  individual  if  the  court  finds  that  notice  would  be  im- 

7  practical  because — 

8  (A)  the  name  and  address  of  the  individual 

9  -  V "  ■    are  unknown;  or 

10  •  (B)  notice  would  risk  destruction  or  nu- 
ll availability  of  the  evidence. 

12  (e)  Conditions. — Upon  the  granting  of  an  order  for 

13  disclosure  of  protected  health  information  under  this  sec- 

14  tion,  the  court  shall  impose  appropriate  safeguards  to  en- 

15  sure  the  confidentiality  of  such  information  and  to  protect 

16  against  unauthorized  or  improper  use  or  disclosure. 

17  (f)  Limitation  on  Use  and  Disclosure  for 

18  Other    Law    Enforcement    Inquiries. — Protected 

19  health  information  about  an  individual  that  is  disclosed 

20  under  this  section  may  not  be  used  in,  or  disclosed  to  any 

21  person  for  use  in,  any  administrative,  civil,  or  criminal  ac- 

22  tion  or  investigation  directed  against  the  individual,  unless 

23  the  action  or  investigation  arises  out  of,  or  is  directly  re- 

24  lated  to,  the  law  enforcement  inquiry  for  which  the  infor- 

25  mation  was  obtained. 
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1  (g)  Destruction  or  Return  of  Information. — 

2  When  the  matter  or  need  for  which  protected  health  infor- 

3  mation  was  disclosed  to  an  investigative  or  law  enforce- 

4  ment  officer  or  ^and  jury  has  concluded,  including  any 

5  derivative  matters  arising  from  such  matter  or  need,  the 

6  law  enforcement  agency  or  grand  jury  shall  either  destroy 

7  the  protected  health  information,  or  return  it  to  the  person 

8  from  whom  it  was  obtained. 

9  (h)  Redactions. — To  the  extent  practicable,  and 

10  consistent  with  the  requirements  of  due  process,  a  law  en- 

1 1  forcement  agency  shall  redact  personally  identifying  infor- 

12  mation  from  protected  health  information  prior  to  the 

1 3  public  disclosure  of  such  protected  information  in  a  judi- 

14  cial  or  administrative  proceeding. 

15  (i)  Exception. — This  section  shall  not  be  construed 

16  to  limit  or  restrict  the  ability  of  law  enforcement  authori- 

17  ties  to  gain  information  while  in  hot  pursuit  of  a  suspect 

18  or  if  other  exigent  circumstances  exist.  .> ; 

19  SEC.  209.  NEXT  OF  KIN  AND  DIRECTORY  E^ORMATION. 

20  (a)  Next  of  Kin. — health  care  provider,  or  a  per- 

21  son  who  receives  protected  health  information  under  sec- 

22  tion  204,  may  disclose  protected  health  information  about 

23  health  care  services  provided  to  an  individual  to  the  indi- 

24  vidual's  next  of  kin,  or  to  another  person  whom  the  indi- 
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1  vidual  has  identified,  if  at  the  time  of  the  treatment  of 

2  the  individual — 


3  (1)  the  individual — 

4  (A)  has  been  notified  of  the  individual's 

5  right  to  object  to  such  disclosure  and  the  indi- 

6  vidual  has  not  objected  to  the  disclosure;  or 

7  ■  (B)  is  in  a  physical  or  mental  condition 

8  such  that  the  individual  is  not  capable  of  object- 

9  ing,  and  there  are  no  prior  indications  that  the 

10  individual  would  object;  and 

11  (2)  the  information  disclosed  relates  to  health 

12  care  services  currently  being  provided  to  that  indi- 

13  vidual. 

14  (b)  Directory  Information. — 

15  (1)  Disclosure. — 

16  (A)  In  general. — Except  as  provided  in 

17  paragraph  (2),  with  respect  to  an  individual 

18  who  is  admitted  as  an  inpatient  to  a  health  care 

19  facility,  a  person  described  in  subsection  (a) 

20  may  disclose  information  described  in  subpara- 

21  graph  (B)  about  the  individual  to  any  person  if, 

22  at  the  time  of  the  admission,  the  individual — 

23  (i)  has  been  notified  of  the  individ- 

24  ual's  right  to  object  and  has  not  objected 

25  to  the  disclosure;  or 
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1  (ii)  is  in  a  physical  or  mental  eondi- 

2  tion  such  that  the  individual  is  not  capable 

3  of  objecting  and  there  are  no  prior  indica- 

4  tions  that  the  individual  would  object. 

5  (B)  Information. — Information  described 

6  in  this  subparagraph  is  information  that  con- 

7  sists  only  of  1  or  more  of  the  following  items: 

8  (i)  The  name  of  the  individual  who  is 

9  the  subject  of  the  information.  .  : 

10  (ii)  The  general  health  status  of  the 

11  individual,  described  as  critical,  poor,  fair, 

12  stable,  or  satisfactory  or  in  terms  denoting 

13  similar  conditions.  -  M  .; 

14  (iii)  The  location  of  the  individual 

15  within  the  health  care  facility  to  which  the 

16  individual  is  admitted. 

17  (2)  Exception. — Paragraph  (l)(B)(iii)  shall 

18  not  apply  if  disclosure  of  the  location  of  the  individ- 

19  ual  would  reveal  specific  information  about  the  phys- 

20  ical  or  mental  condition  of  the  individual,  unless  the 

21  individual  expressly  authorizes  such  disclosure. 

22  (c)  Directory  or  Next-of-Kin  Inforimation. — 

23  disclosure  may  not  be  made  under  this  section  if  the  dis- 

24  closing  person  described  in  subsection  (a)  has  reason  to 

25  believe  that  the  disclosure  of  directory  or  next-of-kin  infor- 
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1  mation  could  lead  to  the  physical  or  mental  harm  of  the 

2  individual,  unless  the  individual  expressly  authorizes  such 

3  disclosure. 

4  SEC.  210.  HEALTH  RESEARCH. 

5  (a)  Regulations. — 

6  (1)  In  general. — The  requirements  and  pro- 

7  tections  provided  for  under  part  46  of  title  45,  Code 

8  of  Federal  Regulations  (as  in  effect  on  the  date  of 

9  enactment  of  this  Act),  shall  apply  to  all  health  re- 
10 .  search. 

11  (2)  Effective  date. — Para^aph  (1)  shall  not 

12  take  effect  until  the  Secretary  has  promulgated  final 

13  regulations  to  implement  such  paragraph. 

14  (b)  Evaluation. — Not  later  than  24  months  after 

15  the  date  of  enactment  of  this  Act,  the  Secretary  shall  pre- 

1 6  pare  and  submit  to  Congress  detailed  recommendations  on 

17  whether  written  informed  consent  should  be  required,  and 

18  if  so,  under  what  circumstances,  before  protected  health 

19  information  can  be  used  for  health  research. 

20  (c)  Recommendations. — The  recommendations  re- 

21  quired   to   be   submitted  under   subsection   (b)  shall 

22  include — 

23  (1)  a  detailed  explanation  of  current  institu- 

24  tional  review  board  practices,  including  the  extent  to 

25  which  the  privacy  of  individuals  is  taken  into  ac- 
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1  count  as  a  factor  before  allowing  waivers  and  under 

2  what    circumstances    informed    consent    is  being 

3  waived; 

4  (2)  a  summary  of  how  technology  could  be  used 

5  to  strip  identifying  data  for  the  purposes  of  re- 

6  search; 

7  (3)  an  analysis  of  the  risks  and  benefits  of  re- 

8  quiring  informed  consent  versus  the  waiver  of  in- 

9  formed  consent; 

10  (4)  an  analysis  of  the  risks  and  benefits  of 

1 1  using  protected  health  information  for  research  pur- 

12  poses  other  than  the  health  research  project  for 

13  which  such  information  was  obtained;  and 

14  (5)  an  analysis  of  the  risks  and  benefits  of  al- 

15  lowing  individuals  to  consent  or  to  use  consent,  at 

16  the  time  of  receiving  medical  treatment,  to  the  pos- 

17  sible  future  use  of  records  of  medical  treatments  for 

18  research  studies. 

19  (d)  Consultation.— In  carrying  out  this  section. 


20  the  Secretary  shall  consult  with  individuals  who  have  dis- 

21  tinguished  themselves  in  the  fields  of  health  research,  pri- 

22  vacy,  related  technology,  consumer  interests  in  health  in- 

23  formation,  health  data  standards,  and  the  provision  of 

24  health  services. 
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1  (e)  Congressional  Notice. — Not  later  than  6 

2  months  after  the  date  on  which  the  Secretary  submits  to 

3  Congress  the  recommendations  required  under  subsection 

4  (b),  the  Secretary  shall  propose  to  implement  such  rec- 

5  ommendations  througii  retaliations  promulgated  on  the 

6  record  after  opportvmity  for  a  hearing,  and  shall  advise 

7  the  Congress  of  such  proposal. 


8  (f)  Other  Requirements. — 

9  •  V  :,  (1)  Obligations  op  the  recipient. — per- 

10  son  who  receives  protected  health  information  pursu- 

11  ant  to  this  section  shall  remove  or  destroy,  at  the 

12  earliest  opportunity  consistent  with  the  purposes  of 

13  the  project  involved,  information  that  would  enable 

14  an  individual  to  be  identified,  unless — 

15  (A)  an  institutional  review  board  has  de- 

16  termined  that  there  is  a  health  or  research  jus- 

17  tification  for  the  retention  of  such  identifiers; 

18  .  -  and  ■ 

19  (B)  there  is  an  adequate  plan  to  protect 

20  the  identifiers  from  disclosure  consistent  with 

21  this  section;  and  '  .  ' 

22  (2)  Periodic  review  and  technic.\l  assist- 

23  ANCE. —  '  ■^r^tv-^-y-:'"''^^^^ 

24  (A)  Institutional  review  board. — ^Any 

25  institutional  review  board  that  authorizes  re- 
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1  search  under  this  section  shall  provide  the  Sec- 

2  retaiy  with  the  names  and  addresses  of  the  in- 

3  stitutional  review  board  members. 

4  (B)  Technical  assistance. — The  Sec- 

5  retary  may  provide  technical  assistance  to  insti- 

6  tutional  review  boards  described  in  this  sub- 

7  section. 

8  (C)  Monitoring. — The  Secretary  shall  pe- 

9  riodically  monitor  institutional  review  boards 

10  described  in  this  subsection. 

11  (D)  Reports. — Not  later  than  3  years 

12  after  the  date  of  enactment  of  this  Act,  the  Sec- 

13  retary  shall  report  to  Congress  regarding  the 

14  activities   of  institutional   review  boards  de- 

15  scribed  in  this  subsection. 

16  (g)  Limitation. — Nothing  in  this  section  shall  be 


17  construed  to  permit  protected  health  information  that  is 

18  received  by  a  researcher  under  this  section  to  be  accessed 

19  for  purposes  other  than  research  or  as  authorized  by  the 

20  individual. 

2 1  SEC.  211.  JUDICIAL  AND  ADMINISTRATIVE  PURPOSES. 

22  (a)  In  General. — A  health  care  provider,  health 

23  plan,  health  oversight  agency,  employer,  insurer,  health  or 

24  life  insurer,  school  or  university,  a  person  acting  as  the 

25  agent  of  any  such  person,  or  a  person  who  receives  pro- 
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1  tected  health  information  under  section  204,  may  disclose 

2  protected  health  information —  : 


3  (1)  pursuant  to  the  standards  and  procedures 

4  established  in  the  Federal  Rules  of  Civil  Procedure 

5  or  comparable  rules  of  other  courts  or  administrative 

6  agencies,  in  connection  with  litigation  or  proceedings 

7  to  which  an  individual  who  is  the  subject  of  the  in- 

8  formation  is  a  party  and  in  which  the  individual  has 

9  placed  his  or  her  physical  or  mental  condition  at 

10  issue; 

11  (2)  to  a  court,  and  to  others  ordered  by  the 

12  court,  if  in  response  to  a  court  order  issued  by  a 

13  court  of  competent  jurisdiction  in  accordance  with 

14  subsections  (b)  and  (c);  or 

15  (3)  if  necessary  to  present  to  a  court  an  appli- 

16  cation  regarding  the  provision  of  treatment  of  an  in- 

17  dividual  or  the  appointment  of  a  guardian. 

18  (b)  Court  Orders  for  Access  to  Protected 


19  Health  Inforimation. — court  order  for  the  disclosure 

20  of  protected  health  information  under  subsection  (a)  may 

21  be  issued  only  if  the  person  seeking  disclosure  submits  a 

22  written  application  upon  oath  or  equivalent  affirmation 

23  demonstrating  by  clear  and  convincing  evidence  that — 
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1  (1)  the  protected  health  information  sought  is 

2  necessaiy  for  the  adjudication  of  a  material  fact  in 

3  dispute  in  a  civil  proceeding; 

4  (2)  the  adjudicative  need  cannot  be  reasonably 

5  satisfied  by  de-identified  health  information  or  by 

6  any  other  information;  and 

7  (3)  the  need  for  the  information  outweighs  the 

8  privacy  interest  of  the  individual  to  whom  the  infor- 

9  mation  pertains. 

10  (c)  Notice. — 

11  (1)  In  general. — Except  as  provided  in  para- 

12  graph  (2),  no  order  for  the  disclosure  of  protected 

13  health   information   about  an  individual  may  be 

14  issued  by  a  court  unless  notice  of  the  application  for 

15  the  order  has  been  served  on  the  individual  and  the 

16  individual  has  been  afforded  an  opportunity  to  op- 

17  pose  the  issuance  of  the  order. 

18  (2)  Notice  not  required. — ^An  order  for  the 

19  disclosure  of  protected  health  information  about  an 

20  individual  may  be  issued  without  notice  to  the  indi- 

21  vidual  if  the  court  finds,  by  clear  and  convincing  evi- 

22  dence,  that  notice  would  be  impractical  because — 

23  (A)  the  name  and  address  of  the  individual 

24  are  unknown;  or 
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1  (B)  notice  would  risk  destruction  or  un- 

2  '      availability  of  the  evidence. 

3  (d)  Obligations  of  Recipient. — person  seeking 

4  protected  health   information   pursuant  to  subsection 

5  (a)(1)— 

6  (1)  shall  notify  the  individual  or  the  individual's 

7  attorney  of  the  request  for  the  information; 

8  (2)   shall  provide  the  health  care  provider, 

9  health  plan,  health  oversight  agency,  employer,  in- 

10  surer,  health  or  life  insurer,  school  or  university, 

11  agent,  or  other  person  involved  with  a  signed  docu- 

12  ment  attesting — 

13  ■  (A)  that  the  individual  has  placed  his  or 

14  her  physical  or  mental  condition  at  issue  in  liti- 

15  gation  or  proceedings  in  which  the  individual  is 

16  a  party;  and 

17  (B)  the  date  on  which  the  individual  or  the 

18  individual's  attorney  was  notified  under  para- 

19  graph  (1);  and 

20  (3)  shall  not  accept  any  requested  protected 

21  health  information  from  the  health  care  provider, 

22  health  plan,  health  oversight  agency,  employer,  in- 

23  surer,  health  or  life  insurer,  school  or  university, 

24  agent,  or  person  until  the  termination  of  the  10-day 
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1  period  beginning  on  the  date  notice  was  given  under 

2  paragraph  (1).  ?  t 

3  SEC.  212.  INDIVroUAL  REPRESENTATIVES. 

4  (a)  In  General. — Except  as  provided  in  subsections 

5  (b)  and  (c),  a  person  who  is  authorized  by  law  (based  on 

6  grounds  other  than  an  individual's  status  as  a  minor),  or 

7  by  an  instrament  recognized  under  law,  to  act  as  an  agent, 

8  attorney,  proxy,  or  other  legal  representative  of  a  individ- 

9  ual,  may,  to  the  extent  so  authorized,  exercise  and  dis- 

10  charge  the  rights  of  the  individual  under  this  Act.  ^ 

11  (b)  Health  Care  Power  of  Attorney. — ^A  person 

12  who  is  authorized  by  law  (based  on  grounds  other  than 

13  being  a  minor),  or  by  an  instrument  recognized  under  law, 

14  to  make  decisions  about  the  provision  of  health  care  to 

15  an  individual  who  is  incapacitated,  may  exercise  and  dis- 

16  charge  the  rights  of  the  individual  under  this  Act  to  the 

17  extent  necessary  to  effectuate  the  terms  or  purposes  of 

18  the  grant  of  authority.  ■  ~ 

19  (c)  No  Court  Declaration. — If  a  physician  or 

20  other  health  care  provider  determines  that  an  individual, 

21  who  has  not  been  declared  to  be  legally  incompetent,  suf- 

22  fers  from  a  medical  condition  that  prevents  the  individual 

23  from  acting  knowingly  or  effectively  on  the  individual's 

24  own  behalf,  the  right  of  the  individual  to  authorize  disclo- 
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1  sure  under  this  Act  may  be  exercised  and  discharged  in 

2  the  best  interest  of  the  individual  by — 


3  (1)  a  person  described  in  subsection  (b)  with  re- 

4  spect  to  the  individual; 

5  (2)  a  person  described  in  subsection  (a)  with  re- 

6  spect  to  the  individual,  but  only  if  a  person  de- 

7  scribed  in  paragraph  (1)  cannot  be  contacted  after 

8  a  reasonable  effort; 

9  (3)  the  next  of  kin  of  the  individual,  but  only 

10  if  a  person  described  in  paragraph  (1)  or  (2)  cannot 

11  .  be  contacted  after  a  reasonable  effort;  or 

12  (4)  the  health  care  provider,  but  only  if  a  per- 

13  son  described  in  paragraph  (1),  (2),  or  (3)  cannot  be 

14  contacted  after  a  reasonable  effort. 

15  (d)  Rights  op  Minors. — 

16  (1)  Individuals  who  are  is  or  legally  ca- 

17  PABLE. — In  the  case  of  an  individual — 

18  '    (A)  who  is  18  years  of  age  or  older,  all 

19  rights  of  the  individual  under  this  Act  shall  be 

20  exercised  by  the  individual;  or  ; 

21  (B)  who,  acting  alone,  can  obtain  a  type  of 

22  health  care  without  violating  any  applicable  law, 

23  and  who  has  sought  such  care,  the  individual 

24  shall  exercise  all  rights  of  an  individual  under 
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1  this  Act  with  respect  to  protected  health  infor- 

2  mation  relating  to  such  health  care. 

3  (2)  Individuals  under  is. — Except  as  pro- 

4  vided  in  paragraph  (1)(B),  in  the  case  of  an  indi\dd- 

5  ual  who  is — 

6  (A)  under  14  years  of  age,  all  of  the  indi- 

7  vi dual's  rights  under  this  Act  shall  be  exercised 

8  through  the  parent  or  legal  guardian;  or 

9  (B)  14  through  17  years  of  age,  the  rights 

10  of  inspection  and  supplementation,   and  the 

11  right  to  authorize  use  and  disclosure  of  pro- 

12  tected  health  information  of  the  individual  shall 

13  be  exercised  by  the  individual,  or  by  the  parent 

14  or  legal  guardian  of  the  individual. 

15  (e)  Deceased  Individuals.— 

16  (1)  Application  of  act. — The  provisions  of 

17  this  Act  shall  continue  to  apply  to  protected  health 

18  information  concerning  a  deceased  individual. 

19  (2)  Exercise  of  rights  on  behalf  of  a  de- 

20  CEASED  INDIVIDUAL. — ^A  person  who  is  authorized 

21  by  law  or  by  an  instrument  recognized  under  law,  to 

22  act  as  an  executor  of  the  estate  of  a  deceased  indi- 

23  vidual,  or  otherwise  to  exercise  the  rights  of  the  de- 

24  ceased  individual,  may,  to  the  extent  so  authorized, 

25  exercise  and  discharge  the  rights  of  such  deceased 
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1  indi\idual  under  this  Act.  If  no  such  designee  has 

2  been  authorized,  the  rights  of  the  deceased  indi\'id- 

3  ual  may  be  exercised  as  provided  for  in  subsection 

4  (c). 

5  (3)  Identification  of  deceased  iNDmD- 

6  UAL. — person  described  in  section  209(a)  may  dis- 

7  close  protected  health  information  if  such  disclosure 

8  is  necessary  to  assist  in  the  identification  of  a  de- 

9  ceased  indi\ddual. 

10  SEC.  213.  PROHIBmON  AGAINST  RETALIATION. 

11  A  health  care  provider,  health  researcher,  health 

12  plan,  health  oversight  agency,  employer,  health  or  life  in- 

13  surer,  school  or  university,  person  acting  as  an  agent  of 

14  any  such  person,  or  person  who  receives  protected  health 

15  information  under  section  204  may  not  adversely  affect 

16  another  person,  directly  or  indirectly,  because  such  person 

17  has  exercised  a  right  under  this  Act,  disclosed  information 

18  relating  to  a  possible  violation  of  this  Act,  or  associated 

19  with,  or  assisted,  a  person  in  the  exercise  of  a  right  under 

20  this  Act. 
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1  TITLE  III— OFFICE  OF  HEALTH 

2  INFORMATION    PRIVACY  OF 

3  THE        DEPARTMENT  OF 

4  HEALTH  AND  HUMAN  SERV- 

5  ICES 


6  Subtitle  A — Designation 

7  SEC.  301.  DESIGNATION. 

8  (a)  In  General. — The  Secretary  shall  designate  an 

9  office  within  the  Department  of  Health  and  Human  Serv- 

10  ices  to  be  known  as  the  Office  of  Health  Information  Pri- 

1 1  vacy.  The  Office  shall  be  headed  by  a  Director,  who  shall 

12  be  appointed  by  the  Secretary. 

13  (b)  Duties.— The  Director  of  the  Office  of  Health 

14  Information  Privacy  shall —  " 

15  (1)  receive  and  investigate  complaints  of  alleged 

16  violations  of  this  Act;  ' 

17  (2)  provide  for  the  conduct  of  audits  where  ap- 

1 8  propriate; 

19  (3)  provide  guidance  to  the  Secretary  in  the  im- 

20  plementation  of  this  Act;  - 

21  (4)  prepare  and  submit  the  report  described  in 

22  subsection  (c); 

23  (5)  consult  with,  and  provide  recommendation 

24  to,  the  Secretary  concerning  improvements  in  the 
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1  privacy  and  security  of  protected  health  information 

2  and  concerning  medical  privacy  research  needs;  and 

3  (6)  carry  out  any  other  activities  determined 

4  appropriate  by  the  Secretary.     '     i  .^..'X/'^--' 

5  (c)  Report  on  Compliance. — Not  later  than  Janu- 

6  SLY}-  1  of  the  first  calendar  year  beginning  more  than  1 

7  year  after  the  establishment  of  the  Office  under  subsection 

8  (a),  and  every  January  1  thereafter,  the  Director  of  the 

9  Office  of  Health  Information  Privacy  shall  prepare  and 

10  submit  to  Congi^ess  a  report  concerning  the  number  of 

11  complaints  of  alleged  violations  of  this  Act  that  are  re- 

12  ceived  during  the  year  for  which  the  report  is  being  pre- 

13  pared.  Such  report  shall  describe  the  complaints  and  any 

14  remedial  action  taken  concerning  such  complaints. 

15  Subtitle  B — Enforcement 

16  CHAPTER  1— CRIMINAL  PROVISIONS 

17  SEC.    311.    WRONGFUL    DISCLOSURE    OF  PROTECTED 

18  HEALTH  E^ORMATION. 

19  (a)  In  General. — Part  I  of  title  18,  United  States 

20  Code,  is  amended  by  adding  at  the  end  the  following: 

21  "CHAPTER  124— WRONGFUL  DISCLOSURE 

22  OF  PROTECTED  HEALTH  INFORMATION 

"Sec.  .  :  - 

"2801.  Wrongful  disclosure  of  protected  health  information. 
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1  "§2801.  Wrongful  disclosure  of  protected  health  in- 

2  formation 

3  "(a)  Offense. — The  penalties  described  in  sub- 

4  section  (b)  shall  apply  to  a  person  that  knowingly  and 

5  intentionally — 

6  "(1)  obtains  or  attempts  to  obtain  protected 

7  health  information  relating  to  an  individual  in  viola- 

8  tion  of  title  II  of  the  Medical  Information  Privacy 

9  and  Security  Act;  or 

10  "(2)  discloses  or  attempts  to  disclose  protected 

1 1  health  information  to  another  person  in  violation  of 

12  title  II  of  the  Medical  Information  Privacy  and  Se- 

1 3  curity  Act. 

14  "(b)  Penalties. — ^A  person  described  in  subsection 

15  (a)  shall— 

16  "(1)  be  fined  not  more  than  $50,000,  impris- 

17  oned  not  more  than  1  year,  or  both; 

18  "(2)  if  the  offense  is  committed  under  false  pre- 

19  tenses,  be  fined  not  more  than  $250,000,  imprisoned 

20  not  more  than  5  years,  or  any  combination  of  such 

21  penalties;  or  l 

22  "(3)  if  the  offense  is  committed  with  the  intent 

23  to  sell,  transfer,  or  use  protected  health  information 

24  for  commercial  advantage,  personal  gain,  or  mali- 

25  cious  harm,  be  fined  not  more  than  $500,000,  im- 

26  prisoned  not  more  than  10  years,  excluded  from  par- 
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1  ticipation  in  any  Federally  funded  health  care  pro- 

2  grams,  or  any  combination  of  such  penalties. 

3  "(c)  Subsequent  Offenses. — In  the  case  of  a  per- 

4  son  described  in  subsection  (a),  the  maximum  penalties 

5  described  in  subsection  (b)  shall  be  doubled  for  every  sub- 

6  sequent  comiction  for  an  offense  arising  out  of  a  violation 

7  or  \dolations  related  to  a  set  of  circumstances  that  are  dif- 

8  ferent  from  those  involved  in  the  previous  violation  oi-  set 

9  of  related  violations  described  in  such  subsection  (a).". 

10  (b)  Clerical  A^mendment. — The  table  of  chapters 

11  for  part  I  of  title  18,  United  States  Code,  is  amended  by 

12  inserting  after  the  item  relating  to  chapter  123  the  follow- 

13  ing  new  item: 

"124.  Wron^l  disclosure  of  protected  health  mformatioii    2801". 

14  SEC.  312.  DEBABMENT  FOR  CRIMES. 

15  (a)  Purpose. — The  purpose  of  this  section  is  to  pro- 

16  mote  the  prevention  and  deterrence  of  instances  of  inten- 

17  tional  criminal  actions  which  violate  criminal  laws  which 

1 8  are  designed  to  protect  the  privacy  of  protected  health  in- 

19  formation  in  a  m  mner  consistent  with  this  Act. 

20  (b)  Debarment. — Not  later  than  270  days  after  the 

21  date  of  enactment  of  this  Act,  the  Attorney  General,  in 

22  consultation  with  the  Secretary,  shall  promulgate  regula- 

23  tions  and  establish  procedures  to  permit  the  debarment 

24  of  health  care  providers,  health  researchers,  health  or  life 

25  insurers,  employers,  or  schools  or  universities  from  receiv- 
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1  ing  benefits  under  any  Federal  health  programs  or  other 

2  Federal  procurement  program  if  the  managers  or  officers 

3  of  such  persons  are  found  guilty  of  violating  section  2801 

4  of  title  18,  United  States  Code,  have  civil  penalties  im- 

5  posed  against  such  officers  or  managers  under  section  321 

6  in  connection  with  the  illegal  disclosure  of  protected  health 

7  information,  or  are  found  guilty  of  making  a  false  state- 

8  ment  or  obstructing  justice  related  to  attempting  to  con- 

9  ceal  or  concealing  such  illegal  disclosure.  Such  regulations 

10  shall  take  into  account  the  need  for  continuity  of  medical 

11  care  and  may  provide  for  a  delay  of  any  debarment  im- 

12  posed  under  this  section  to  take  into  account  the  medical 

13  needs  of  patients.  \                   ^  r 

14  (c)  Consultation. — Before  pubhshing  a  proposed 

15  rule  to  implement  subsection  (b),  the  Attorney  General 

16  shall  consult  with  State  law  enforcement  officials,  health 

17  care  providers,  patient  privacy  rights'  advocates,  and  other 

18  appropriate  persons,  to  gain  additional  information  re- 

19  garding  the  debarment  of  entities  under  subsection  (b) 

20  and  the  best  methods  lo  ensure  the  continuity  of  medical 

21  care.  ■  • 

22  (d)  Report. — The  Attorney  General  shall  annually 

23  prepare  and  submit  to  the  Committee  on  the  Judiciary  of 

24  the  House  of  Representatives  and  the  Committee  on  the 

25  Judiciary  of  the  Senate  a  report  concerning  the  activities 
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1  and  debarment  actions  taken  by  the  Attorney  General 

2  under  this  section. 

3  (e)  Assistance  To  Prevent  Criminal  Viola- 

4  TIONS. — The  Attorney  General,  in  cooperation  with  any 

5  other  appropriate  individual,  organization,  or  ag^ency,  may 

6  provide  advice,  training,  technical  assistance,  and  guid- 

7  ance  regarding  ways  to  reduce  the  incidence  of  improper 

8  disclosure  of  protected  health  information.  , 

9  (f)  Relationship  to  Other  Authorities. — ^A  de- 

10  barment  imposed  under  this  section  shall  not  reduce  or 

1 1  diminish  the  authority  of  a  Federal,  State,  or  local  govern- 

12  mental  agency  or  court  to  penalize,  imprison,  fme,  sus- 

13  pend,  debar,  or  take  other  adverse  action  against  a  person, 

14  in  a  civil,  criminal,  or  administrative  proceeding. 

15  CHAPTER  2— CIVIL  SANCTIONS 

16  SEC.  321.  CIVIL  PENALTY. 

17  (a)  Violation. — ^A  health  care  provider,  health  re- 

18  searcher,  health  plan,  health  oversight  agency,  public 

19  health  agency,  law  enforcement  agency,  employer,  health 

20  or  life  insurer,  school,  or  university,  or  a  person  acting 

21  as  the  agent  of  any  such  person,  who  the  Secretary,  in 

22  consultation  with  the  Attorney  General,  determines  has 

23  substantially  and  materially  failed  to  comply  with  this  Act 

24  shall  be  subject,  in  addition  to  any  other  penalties  that 

25  may  be  prescribed  by  law —  ■  "     ;  i  U  :  ^ 
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1  (1)  in  a  case  in  which  the  violation  relates  to 

2  title  I,  to  a  civil  penalty  of  not  more  than  $500  for 

3  each  such  violation,  but  not  to  exceed  $5000  in  the 

4  aggregate  for  multiple  ^aolations; 

5  (2)  in  a  case  in  which  the  ^dolation  relates  to 

6  title  II,  to  a  evvil  penalty  of  not  more  than  $10,000 

7  for  each  such  violation,  but  not  to  exceed  $50,000 

8  in  the  aggregate  for  multiple  violations;  or 

9  (3)  in  a  case  in  which  the  Secretary  finds  that 

10  such  violations  have  occurred  with  such  frequency  as 

11  to  constitute  a  general  business  practice,  to  a  civil 

12  penalty  of  not  more  than  $100,000. 

13  (b)  Procedures  for  Imposition  of  Penalties. — 

14  Section  1128A  of  the  Social  Security  Act  (42  U.S.C. 

15  1320a-7a),  other  than  subsections  (a)  and  (b)  and  the 

16  second  sentence  of  subsection  (f)  of  that  section,  shall 

17  apply  to  the  imposition  of  a  civil,  monetary,  or  exclusion- 

1 8  ary  penalty  under  this  section  in  the  same  manner  as  such 

19  provisions  apply  ^vith  respect  to  the  imposition  of  a  penalty 

20  under  section  112  8A  of  such  Act. 

2 1  SEC.  322.  PROCEDURES  FOR  IMPOSITION  OF  PENALTIES. 

22  (a)  Initiation  OF  Proceedings. — 

23  (1)  In  general. — The  Secretary,  in  consulta- 

24  tion  with  the  Attorney  General,  may  initiate  a  pro- 

25  ceeding  to  determine  whether  to  impose  a  civil 
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1  money  penalty  under  section  321.  The  Secretary 

2  -  may  not  initiate  an  action  under  this  section  with  re- 

3  spect  to  any  violation  described  in  section  321  after 

4  the  expiration  of  the  6-year  period  beginning  on  the 

5  date  on  which  such  violation  was  alleged  to  have  oe- 

6  curred.  The  Secretary  may  initiate  an  action  under 

7  this  section  by  serving  notice  of  the  action  in  any 

8  manner  authorized  by  Rule  4  of  the  Federal  Rules 

9  of  Civil  Procedure. 

10  (2)  Notice  and  opportunity  for  hear- 

11  ING. — The  Secretary  shall  not  make  a  determination 

12  adverse  to  any  person  under  paragraph  (1)  until  the 

13  person  has  been  given  written  notice  and  an  oppor- 

14  tunity  for  the  determination  to  be  made  on  the 

15  record  after  a  hearing  at  which  the  person  is  entitled 

16  to  be  represented  by  counsel,  to  present  witnesses, 

17  and  to  cross-examine  witnesses  against  the  person. 

18  (3)  Estoppel. — In  a  proceeding  under  para- 

19  graph  (1)  that — 

20  (A)  is  against  a  person  who  has  been  con- 

21  victed  (whether  upon  a  verdict  after  trial  or 

22  upon  a  plea  of  guilty  or  nolo  contendere)  of  a 

23  crime  under  section  2801  of  title  18,  United 

24  States  Code;  and 
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1  (B)  involves  the  same  conduct  as  in  the 

2  criminal  action; 

3  the  person  is  estopped  from  denying  the  essential 

4  elements  of  the  criminal  offense. 

5  (4)  Sanctions  for  failure  to  comply. — 

6  The  official  conducting  a  hearing  under  this  section 

7  may  sanction  a  person,  including  any  party  or  attor- 

8  ney,  for  failing  to  comply  with  an  order  or  proce- 

9  dure,  failing  to  defend  an  action,  or  other  mis- 

10  conduct  as  would  interfere  with  the  speedy,  orderly, 

11  or  fair  conduct  of  the  hearing.  Such  sanction  shall 

12  reasonably  relate  to  the  severity  and  nature  of  the 

13  failure  or  misconduct.  Such  sanction  may  include — 

14  (A)  in  the  case  of  refusal  to  provide  or  per- 

15  mit  discovery,  drawing  negative  factual  infer- 

16  ences  or  treating  such  refusal  as  an  admission 

17  by  deeming  the  matter,  or  certain  facts,  to  be 

18  estabhshed;  i'; 

19  (B)  prohibiting  a  party  from  introducing 

20  certain  evidence  or  otherwise  supporting  a  par- 

21  ticular  claim  or  defense; 

22  (C)  striking  pleadings,  in  whole  or  in  part; 

23  (D)  staying  the  proceedings; 

24  (E)  dismissal  of  the  action;  ^•• 

25  (F)  entering  a  default  judgment; 
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1  r      (G)  ordering  the  party  or  attorney  to  pay 

2  attorneys'  fees  and  other  costs  caused  by  the 

3  _)  -       failure  or  misconduct;  and 

4  (H)  refusing  to  consider  any  motion  or 

5  other  action  which  is  not  filed  in  a  timely  man- 

6  ner. 

7  (b)    Scope    of   Penalty. — In   determining  the 

8  amount  or  scope  of  any  penalty  imposed  pursuant  to  sec- 

9  tion  321,  the  Secretary  shall  take  into  account — 

10  (1)  the  nature  of  claims  and  the  circumstances 

1 1  under  which  they  were  presented; 

12  (2)  the  degree  of  culpability,  history  of  prior  of- 

13  fenses,  and  financial  condition  of  the  person  against 

14  whom  the  claim  is  brought;  and 

15  (3)  such  other  matters  as  justice  may  require. 

16  (c)  Review  of  Determination. — 

17  (1)  In  general. — ^Any  person  adversely  af- 

18  fected  by  a  determination  of  the  Secretary  under 

19  this  section  may  obtain  a  review  of  such  determina- 

20  tion  in  the  United  States  Court  of  Appeals  for  the 

21  circuit  in  which  the  person  resides,  or  in  which  the 

22  claim  was  presented,  by  filing  in  such  court  (within 

23  60  days  following  the  date  the  person  is  notified  of 

24  the  determination  of  the  Secretary  a  written  petition 
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1  requesting:  that  the  determination  be  modified  or  set 

2  aside. 

3  (2)  Filing  op  record. — copy  of  the  petition 

4  filed  under  paragraph  (1)  shall  be  forthwith  trans- 

5  mitted  by  the  clerk  of  the  court  to  the  Secretary, 

6  and  thereupon  the  Secretary  shall  file  in  the  Court 

7  the  record  in  the  proceeding  as  provided  in  section 

8  2112  of  title  28,  United  States  Code.  Upon  such  fil- 

9  ing,  the  court  shall  have  jurisdiction  of  the  proceed- 

10  ing  and  of  the  question  determined  therein,  and 

11  shall  have  the  power  to  make  and  enter  upon  the 

12  pleadings,  testimony,  and  proceedings  set  forth  in 

13  such  record  a  decree  affirming,  modifying,  remand- 

14  ing  for  further  consideration,  or  setting  aside,  in 

15  whole  or  in  part,  the  determination  of  the  Secretary 

16  and  enforcing  the  same  to  the  extent  that  such  order 

17  is  affirmed  or  modified.  : 

18  (3)  Consideration  of  objections. — No  ob- 

19  jection  that  has  not  been  raised  before  the  Secretary 

20  with  respect  to  a  determination  described  in  para- 

21  graph  (1)  shall  be  considered  by  the  court,  unless 

22  the  failure  or  neglect  to  raise  such  objection  shall  be 

23  excused  because  of  extraordinary  circumstances. 

24  (4)  Findings. — The  findings  of  the  Secretary 

25  with  respect  to  questions  of  fact  in  an  action  under 
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1  this  subsection,  if  supported  by  substantial  evidence 

2  on  the  record  considered  as  a  whole,  shall  be  conclu- 

3  sive.  If  any  party  shall  apply  to  the  court  for  leave 

4  to  adduce  additional  evidence  and  shall  show  to  the 

5  satisfaction  of  the  court  that  such  additional  evi- 

6  dence  is  material  and  that  there  were  reasonable 

7  pounds  for  the  failure  to  adduce  such  e\ddence  in 

8  the  hearing  before  the  Secretary,  the  court  may 

9  order  such  additional  e\ddence  to  be  taken  before  the 

10  Secretary  and  to  be  made  a  part  of  the  record.  The 

11  Secretary  may  modify  findings  as  to  the  facts,  or 

12  make  new  findings,  by  reason  of  additional  evidence 

13  so  taken  and  filed,  and  shall  file  with  the  court  such 

14  modified  or  new  findings,  and  such  findings  with  re- 

15  spect  to  questions  of  fact,  if  supported  by  substan- 

16  tial  evidence  on  the  record  considered  as  a  whole, 

17  and  the  recommendations  of  the  Secretary,  if  any, 

18  for  the  modification  or  setting  aside  of  the  original 

19  order,  shall  be  conclusive. 

20  (5)  Exclusive  jurisdiction. — Upon  the  fihng 

21  of  the  record  with  the  court  under  paragraph  (2), 

22  the  jurisdiction  of  the  court  shall  be  exclusive  and  its 

23  judgment  and  decree  shall  be  final,  except  that  the 

24  same  shall  be  subject  to  review  by  the  Supreme 
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1  Court  of  the  United  States,  as  provided  for  in  sec- 

2  tion  1254  of  title  28,  United  States  Code.  t 

3  (d)  Recovery  of  Penalties. — 

4  (1)  In  general. — Civil  money  penalties  im- 

5  posed  under  this  chapter  may  be  compromised  by 

6  the  Secretary  and  may  be  recovered  in  a  civil  action 

7  in  the  name  of  the  United  States  brought  in  United 

8  States  district  court  for  the  district  where  the  claim 

9  was  presented,  or  where  the  claimant  resides,  as  de- 

10  termined  by  the  Secretary.  Amounts  recovered  under 

1 1  this  section  shall  be  paid  to  the  Secretary  and  depos- 

12  ited  as  miscellaneous  receipts  of  the  Treasury  of  the 

13  United  States.  •> 

14  (2)  Deduction  from  amounts  owing. — The 

15  amount  of  any  penalty,  when  finally  determined 

16  under  this  section,  or  the  amount  a^eed  upon  in 

17  compromise  under  paragraph  (1),  may  be  deducted 

18  from  any  sum  then  or  later  owing  by  the  United 

19  States  or  a  State  to  the  person  against  whom  the 

20  penalty  has  been  assessed. 

21  (e)  Determination  FinaIj. — determination  by 

22  the  Secretary  to  impose  a  penalty  under  section  321  shall 

23  be  final  upon  the  expiration  of  the  60 -day  period  referred 

24  to  in  subsection  (c)(1).  Matters  that  were  raised  or  that 

25  could  have  been  raised  in  a  hearing  before  the  Secretary 
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1  or  in  an  appeal  pursuant  to  subsection  (e)  may  not  be 

2  raised  as  a  defense  to  a  civil  action  by  the  United  States 

3  to  collect  a  penalty  under  section  321.  . 

4  (f)  Subpoena  Authority. — 

5  (1)  In  generai^. — For  the  purpose  of  any 

6  hearing,  investigation,  or  other  proceeding-  author- 

7  ized  or  directed  under  this  section,  or  relative  to  any 

8  other  matter  within  the  jurisdiction  of  the  Secretary 

9  hereunder,  the  Secretary  shall  have  the  power  to 

10  issue  subpoenas  requiring  the  attendance  and  testi- 

11  mony  of  witnesses  and  the  production  of  any  evi- 

12  dence  that  relates  to  any  matter  under  investigation 

13  or  in  question.  Such  attendance  of  witnesses  and 

14  production  of  evidence  at  the  designated  place  of 

15  such  hearing,  investigation,  or  other  proceeding  may 

16  be  required  from  any  place  in  the  United  States  or 

17  in  any  Territory  or  possession  thereof. 

18  (2)    Service. — Subpoenas   of  the  Secretary 

19  under  paragraph  (1)  shall  be  served  by  anyone  au- 

20  thorized  by  the  Secretary  by  delivering  a  copy  there- 

21  of  to  the  individual  named  therein. 

22  (3)  Proof  op  service. — verified  return  by 

23  the  individual  serving  the  subpoena  under  this  sub- 

24  section  setting  forth  the  manner  of  service  shall  be 

25  proof  of  service.  •  , 
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1  (4)  Fees. — ^Witnesses  subpoenaed  under  this 

2  subsection  shall  be  paid  the  same  fees  and  mileage 

3  as  are  paid  witnesses  in  the  district  court  of  the 

4  United  States. 

5  (5)  Refusal  to  obey. — In  case  of  contumacy 

6  by,  or  refusal  to  obey  a  subpoena  duly  served  upon, 

7  any  person,  any  district  court  of  the  United  States 

8  for  the  judicial  district  in  which  such  person  charged 

9  with  contumacy  or  refusal  to  obey  is  found  or  re- 

10  sides  or  transacts  business,  upon  application  by  the 

11  Secretary,  shall  have  jurisdiction  to  issue  an  order 

12  requiring  such  person  to  appear  and  give  testimony, 

13  or  to  appear  and  produce  evidence,  or  both.  Any  fail- 

14  ure  to  obey  such  order  of  the  court  may  be  punished 

15  by  the  court  as  contempt  thereof. 

16  (g)  Injunctive  Relief. — ^Wlienever  the  Secretary 

17  has  reason  to  believe  that  any  person  has  engaged,  is  en- 

1 8  gaging,  or  is  about  to  engage  in  any  activity  which  makes 

19  the  person  subject  to  a  civil  monetary  penalty  under  sec- 

20  tion  321,  the  Secretary  may  bring  an  action  in  an  appro- 

21  priate  district  court  of  the  United  States  (or,  if  applicable, 

22  a  United  States  court  of  any  territory)  to  enjoin  such  ac- 

23  tivity,  or  to  enjoin  the  person  from  concealing,  removing, 

24  encumbering,  or  disposing  of  assets  which  may  be  required 
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1  in  order  to  pay  a  civil  monetary  penalty  if  any  sueh  pen- 

2  alty  were  to  be  imposed  or  to  seek  other  appropriate  relief. 

3  (h)  Agency. — principal  is  jointly  and  severally  lia- 

4  ble  with  the  principal's  agent  for  penalties  under  section 

5  321  for  the  actions  of  the  principal's  agent  acting  within 

6  the  scope  of  the  agency. 

7  SEC.  323.  CIVIL  ACTION  BY  INDIVIDUALS. 

8  (a)  In  General. — ^Any  individual  whose  rights  under 

9  this  Act  have  been  knowingly  or  negligently  violated  may 

10  bring  a  civil  action  to  recover — 

11  (1)  such  preliminary  and  equitable  relief  as  the 

12  court  determines  to  be  appropriate;  and 

13  (2)  the  gi'eater  of  compensatory  damages  or  liq- 

14  uidated  damages  of  $5,000. 

15  (b)  Punitive  Damages. — In  any  action  brought 

16  under  this  section  in  which  the  individual  has  prevailed 

17  because  of  a  knowing  violation  of  a  provision  of  this  Act, 

18  the  court  may,  in  addition  to  any  relief  awarded  under 

19  subsection  (a),  award  such  punitive  damages  as  may  be 

20  warranted. 

21  (c)  Attorney's  Fees. — In  the  case  of  a  civil  action 

22  brought  under  subsection  (a)  in  which  the  individual  has 

23  substantially  prevailed,  the  court  may  assess  against  the 

24  respondent  a  reasonable  attorney's  fee  and  other  litigation 


•HR  1057  IH 


78 

1  costs  and  expenses  (including  expert  fees)  reasonably  in- 

2  cur  red.  ,     .                :   ;  r;:  ? 

3  (d)  Limitation. — No  action  may  be  commenced 

4  under  this  section  more  than  3  years  after  the  date  on 

5  which  the  violation  was  or  should  reasonably  have  been 

6  discovered.  w  ■ 

7  (e)  Agency. — principal  is  jointly  and  severally  lia- 

8  ble  with  the  principal's  agent  for  damages  under  this  sec- 

9  tion  for  the  actions  of  the  principal's  agent  acting  within 

10  the  scope  of  the  agency.  ;  -i 

1 1  (f)  Additional  Remedies. — The  equitable  relief  or 

12  damages  that  may  be  available  under  this  section  shall  be 

13  in  additional  to  any  other  lawful  remedy  or  award  avail- 

14  able. 

15  TITLE  IV— MISCELLANEOUS 

16  SEC.  401.  RELATIONSHIP  TO  OTHER  LAWS. 

17  (a)  Federal  and  State  Laws. — Nothing  in  this 

18  Act  shall  be  construed  as  preempting,  superseding,  or  re- 

19  pealing,  explicitly  or  implicitly,  other  Federal  or  State  laws 

20  or  regulations  relating  to  protected  health  information  or 

21  relating  to  an  individual's  access  to  protected  health  infor- 

22  mation  or  health  care  services,  if  such  laws  or  regulations 

23  provide  protections  for  the  rights  of  individuals  to  the  pri- 

24  vacy  of,  and  access  to,  their  health  information  that  are 

25  ^eater  than  those  provided  for  in  this  Act. 
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1  (b)  Privileges. — Nothing  in  this  Act  shall  be  con- 

2  strued  to  preempt  or  modify  any  provisions  of  State  statu- 

3  tory  or  common  law  to  the  extent  that  such  law  concerns 

4  a  privilege  of  a  witness  or  person  in  a  court  of  that  State. 

5  This  Act  shall  not  be  construed  to  supersede  or  modify 

6  any  provision  of  Federal  statutory  or  common  law  to  the 

7  extent  such  law  concerns  a  privilege  of  a  witness  or  person 

8  in  a  court  of  the  United  States.  Authorizations  pursuant 

9  to  section  202  shall  not  be  construed  as  a  waiver  of  any 

10  such  privilege. 

11  (c)  Certain  Duties  Under  Law. — Nothing  in  this 

12  Act  shall  be  construed  to  preempt,  supersede,  or  modify 

13  the  operation  of  any  State  law  that —    '  ^ 

14  (1)  provides  for  the  reporting  of  vital  statistics 

15  such  as  birth  or  death  information; 

16  (2)  requires  the  reporting  of  abuse  or  neglect 

17  information  about  any  individual;  - 

18  (3)  regulates  the  disclosure  or  reporting  of  in- 

19  formation  concerning  an  individual's  mental  health; 

20  or  ■         •  •  ••        —    -  -  ■ 

21  (4)  governs  a  minor's  rights  to  access  protected 

22  health  information  or  health  care  services. 

23  (d)  Federal  Privacy  Act. —    .  ii  ;  i     v/    .  ■  - 
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1  (1)  Medical  exemptions. — Section  552a  of 

2  title  5,  United  States  Code,  is  amended  by  adding 

3  at  the  end  the  following: 

4  "(w)   Certain  Protected  Health  Inforivia- 

5  TION. — The  head  of  an  agency  that  is  a  health  care  pro- 

6  vider,  health  plan,  health  oversight  agency,  employer,  in- 

7  surer,  health  or  life  insurer,  school  or  university,  or  person 

8  who  receives  protected  health  information  under  section 

9  204  of  the  Medical  Information  Privacy  and  Security  Act 

10  shall  promulgate  rules,  in  accordance  with  the  require- 

11  ments  (including  general  notice)  of  subsections  (b)(1), 

12  (b)(2),  (b)(3),  (c),  (e)  of  section  553  of  this  title,  to  ex- 

13  empt  a  system  of  records  within  the  agency,  to  the  extent 

1 4  that  the  system  of  records  contains  protected  health  infor- 

15  mation  (as  defined  in  section  4  of  such  Act),  from  all  pro- 

16  visions  of  this  section  except  subsections  (b)(6),  (d), 

17  (e)(1),  (e)(2),  subparagraphs  (A)  through  (C)  and  (E) 

18  through  (I)  of  subsection  (e)(4),  and  subsections  (e)(5), 

19  (e)(6),  (e)(9),  (e)(12),  (1),  (n),  (o),  (p),  (r),  and  (u).". 

20  (2)       Technical       amendment. — Section 

21  552a(f)(3)  of  title  5,  United  States  Code,  is  amend- 

22  ed  by  striking  "pertaining  to  him,"  and  all  that  fol- 

23  lows  through  the  semicolon  and  inserting  "pertain- 

24  ing  to  the  individual." 
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1  (e)  Constitution. — Nothing  in  this  Act  shall  be 

2  construed  to  alter,  diminish,  or  otherwise  weaken  existing 

3  legal  standards  under  the  Constitution  regarding  the  con- 

4  fidentiahty  of  protected  health  information. 

5  SEC.  402.  EFFECTIVE  DATE. 

6  (a)  Effective  Date. — Unless  specifically  provided 

7  for  otherwise,  this  Act  shall  take  effect  on  the  date  that 

8  is  12  months  after  the  date  of  the  promulgation  of  the 

9  regulations  required  under  subsection  (b),  or  30  months 

10  after  the  date  of  enactment  of  this  Act,  whichever  is  ear- 

11  lier. 

12  (b)  Regulations. — Not  later  than  12  months  after 

13  the  date  of  enactment  of  this  Act,  or  as  specifically  pro- 

14  vided  for  otherwise,  the  Secretary  shall  promulgate  regula- 

15  tions  implementing  this  Act.     ,  ■ 

O        .     ^  :   -       ■  .    ■  .... 
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